What to expect from an OCR audit? | GHX

Jackie McGuinn

Strategic Marketing Senior Manager
Wednesday, August 10, 2016

What to expect from an OCR audit?

The OCR audits are already well underway. For those organizations that did not find a notice in their inbox, now is not the time to rest. The need for a robust credentialing and compliance program has never been more important.

The emailed notices sent out on July 11, 2016 informed 167 covered entities that they were selected for a HIPAA Phase II audit by the Office for Civil Rights (OCR), Department of Health and Human Services (HHS). Providers may have felt relieved to not be included on this initial list but they shouldn’t get too comfortable. The audit program is just getting traction and any kind of HIPAA complaint can trigger a HIPAA investigation and spur close scrutiny. With thousands of complaints registered with the OCR each year, more audits are not just likely, they are certain.

These initial desk audits present challenges in the unknown to the first round of recipients but some common expectations have emerged already. One of the biggest obstacles healthcare providers encounter is the short turnaround allowed to gather necessary documents. With only 20 days to gather, deliver and respond – 10 days to produce documents and 10 days to respond to a draft audit report –  systems and processes need to be tightly managed. The inability to produce proper data and documentation in the time allowed could result in an on-site audit.

This is certainly not an exhaustive list, but it is a list of commonly requested information:

  • A list of all Business Associates with updated contact information and product/service category
  • Proof of signed BAAs with Business Associates 
  • Proof that Business Associates are adhering to terms of BAA
  • Documentation of most recent security risk assessment
  • Copies of HIPAA Policies and Procedures
  • Documentation of HIPAA training for employees and security reminders
  • Incident response plan

In the case of an OCR audit, being over-prepared is the best plan. A successful program will provide documentation to prove your process and provide for quick access to the exact data requested (sending too much information could trigger a complicated audit) in order to meet the tight turn-around required. And, the requested information needs to be delivered in an electronic format. It is important to know that OCR will only look at data dated prior to the audit letter further emphasizing the need to establish a strong program well before an audit letter hits the desk. Regardless of whether you were selected for a Privacy Rule audit or Security Rule audit, expect to provide proof that vendors are adhering to terms for Business Associate Agreements.

Building a vendor compliance and management program is only going to increase in importance over time and will need to evolve to address new concerns highlighted by the OCR. The latest concern being insider threats where the OCR recommends following US CERT steps to protect protected health information and to establish a formalized insider threat program. These emerging recommendations add to the growing list of areas to consider when building out a compliance program.

GHX is here to help with solutions and services that help accomplish compliance requirements, identify your trading partners for credentialing, and ultimately combine supply chain and compliance functions for the greatest benefit.