make a good business better

Blog Information Security

Print Divider Print Divider Branding

What to Do if You are Selected for an OCR Audit

12/03/2014  |  By: Mark Fulford, CISSP, CISA, ABCP, HITRUST, Shareholder, Information Security


Social Logo Social Logo Social Logo Social Logo

The time to prepare for an audit is before you have been selected. Based on the pilot OCR audits in 2012, we can assume that your time to respond will be limited. Now is the time to prepare, knowing that you might be called on at some point to show evidence of compliance. Keep in mind, audits are NOT enforcement actions. The stated goal of the audit program is to gauge overall HIPAA compliance across a wide variety of covered entities and business associates. The data will be used by HHS to assess the overall health of information security in the industry and to identify where additional outreach or education might be necessary. If you are notified that your organization has been chosen for an OCR audit, the following provides guidelines as to what you will want to do.

 If You Are Chosen for an OCR Audit, Mobilize!

Assemble your team. The team should include your privacy and security officials and your organization’s compliance officer (if you have one). It’s also a good idea to notify your internal and/or external legal counsel so they can be kept apprised of all requests from the OCR and responses provided by you to the OCR. Keep your counsel on stand-by to provide you with guidance if necessary. Respond completely and in a timely fashion. If you are notified that you have been selected for an audit, you will also get instructions on how and when to reply. There is documented evidence that being unresponsive will only make things worse for you if the OCR uncovers significant findings of non-compliance. Make sure you keep thorough records of all transactions during the audit process, and it’s a good idea to appoint one person to be in charge of all audit-related correspondence. A few additional guidance points from the OCR include:

  • Only requested data submitted on time will be assessed.
  • All documentation must be current as of the date of the request.
  • If yours is a desk audit, auditors will not have opportunity to contact you for clarification or to request additional information, so it is critical that your documents adequately reflect the program.
  • Do not submit extraneous information as it will increase the difficulty for the auditor to assess required items.
  • Failure to submit responses to requests may lead to referral for regional compliance review.

Craft responses carefully and don’t be bashful about questioning findings that you believe to be inaccurate. Historically, the OCR has allowed organizations to respond to identified issues. Be prepared to justify your position with facts and to explain your rationale for decisions you have made about your compliance and security strategy. There are many areas where HIPAA’s lack of specific direction works in your favor, assuming you can demonstrate a thoughtful and reasonable approach to complying with all of the standards. Hopefully your OCR audit will go smoothly. If you have done a good job addressing compliance standards and building out your security program, the report will require little or no follow up. If not, you may be subject to voluntary compliance activities or to a more in-depth compliance review. Compliance reviews that identify significant issues may require additional corrective action or may lead to resolution agreements. In these cases, it’s advisable to engage attorneys and consultants who are well-versed in working with the OCR. Learn more to prepare your firm for the upcoming OCR audit in the new guide, OCR Audits Demystified. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense servicesContact us today!​ocr audit

Posted in: Healthcare