close popup
Skip to main content
Skip to footer

The NewQuill+

Unbelievable $34.99 Paper Price + FREE eGift Cards + More Learn More


Give Your Organization a Head Start Preparing for OCR's Audit Program

One thing is for sure. You don’t want to wait until you get a notification letter from the Office for Civil Rights(OCR), before you start preparing for a HIPAA audit. OCR is the federal agency charged with enforcing the HIPAA Privacy, Security and Breach Notification Regulations. Beginning in early 2015, OCR plans to audit 200 covered entities (CE) to measure their compliance with the HIPAA Privacy Rule, Security Rule, and breach notification requirements. These CE audits will be followed by up to 400 audits of business associates to measure their compliance with the Security Rule and how they intend to approach their obligations under the Privacy and Breach Notification Rules.

According to OCR the initial phase of the covered entity audits will be “desk audits”, requiring organizations to submit documentation that it has policies and processes in place that meet the requirements of the Rules. The specific topics that will be reviewed in the audit has not been announced.

While the audit protocol OCR will use in connection with the upcoming desk audits has not been finalized, they have identified areas in which it intends to focus its attention. Health care providers and health plans would be required to demonstration how they are meeting the Privacy Rule requirements for notices of privacy practices and the patient’s right to access their protected health information maintained by the covered entity. The agency indicated that the scope of the review for Security Rule compliance will cover policies and procedures for conducting the required risk analysis of the effectiveness of safeguards protecting information systems that handle e-PHI as well as the organization’s mitigation plan to address gaps to that are identified through the assessment. OCR also identified the policies and processes of covered entities to identify whether an unauthorized use or disclosure of PHI is reportable under the Breach Notification Rule as well as the processes in-pace for making the required notifications if a breach has occurred.

The second phase of the audit program targeting HIPAA business associates will also be performed through desk audits. OCR has indicated that the scope will likely focus on how the business associate has developed and implemented the risk analysis and security risk management required under the Security Rule as well as processes in place to assess for and notify their covered entities when their has been a breach involving PHI.

OCR also expects to resume comprehensive, onsite or in-person audits. OCR had conducted onsite audits of 115 covered entities in 2012. The onsite audits were comprehensive reviews of compliance in which trained auditors would spend a number of reviewing policies and procedures as well as observing how organizations had put their processes into practice. OCR has not provided specifics on how many covered entities will be selected for the onsite reviews. But, the agency has said it intends to ramp up the number of comprehensive audits as it expands the number of OCR staff specially trained to perform compliance audits.

Health care provider practices and group health plan administrators should prepare now by what going through the steps to take to prepare if the organization were randomly selected for one of those audits. Organizations need to review OCR’s audit protocol, as well as the HIPAA and HITECH regulations themselves. Then they need to make sure they have guidelines, policies, and procedures in place to support the regulations and assure those documents are revised to stay up-to-date.

So where can healthcare organizations get started?

Ask yourself some basic questions to determine your audit readiness. If OCR selects your organization for an audit, who will receive the notification letter? How will that notification get to the practice manager or person responsible for HIPAA compliance in your practice or employer sponsored group health plan? What documentation exists to demonstrate your HIPAA compliance and where is it located? Who needs to be on your team that will handle an audit? How often should the audit prep team meet?

Aim for centralized accountability. To guide your audit preparation, use the HIPAA audit protocol posted on the OCR website (, along with other resources to develop a matrix tool that lists the documents that can be expected to be requested for an audit team will request.

OCR revised the audit protocol several times as it conducted its 2012 audits. The audit protocol serves as a guide for audit activities.  The audit protocol OCR produced in 2012 included 169 separate procedures—81 for privacy, 78 for security, and 10 for the breach notification rule.

Make sure the audit preparation includes a central repository for the documentation of all HIPAA compliance efforts and records. You need to know where all that documentation is for easy retrieval. These are very much evidentiary-based audits. Demonstration of compliance is the focus.

Review your documentation. Keep in mind that the list of policies, procedures and other documents you want to compile is unique to your organization. The scope of issues to be reviewed is most likely not going to be the same for every audited CE because the audit protocol is evolving and changes as the program matures.

When it comes to our documentation, review it with the following four C’s in mind.

  • Completeness. Do you have a complete set of policies and procedures that describes the controls you have in place to ensure privacy and security?
  • Compliance. Do those policies and procedures meet the mandate of the rules?
  • Currency. Are they up-to-date and do they reflect what is actually happening in your organization, such as on the floor of your hospital?
  • Consistency. Is there consistency between your policies and procedures and your practice and evidence?

Don't wait until you receive notification from OCR that you have been selected for an audit. We’ve known about this for a long time. OCR believes that there are no excuses for not having appropriate policies and procedures in place. The HIPAA Privacy Rule has been in place since 2003 and the HIPAA Security Rule since 2005.  Too often health care practices and employer group plans are looking for the magic bullet. They think, ‘give me the checklist.’ It doesn’t work that way—it requires commitment and preparation.