How to prepare if you’re selected for an OCR audit

The forthcoming Office of Civil Rights (OCR) audits for HIPAA compliance have seen some delays this fall – but that doesn’t mean covered organizations can delay their audit preparations. In fact, it’s more important than ever that covered entities and business associates ready themselves, if they haven’t already.

What should organizations do to prepare for the possibility of an audit? How can you demonstrate compliance efficiently and effectively? Let’s take a look at the essential steps.

Clearing up the myths

First, with so many myths floating around about HIPAA compliance and enforcement, it’s important to clarify what the audits are, and what they aren’t.

OCR audits aren’t the same as enforcement actions. Instead, they’re part of a broad effort to measure HIPAA compliance among covered entities across the industry, and ultimately determine common areas of need for better protection of healthcare data.

So if you receive a notification that you’ve been selected for an audit, don’t panic. You may be under the microscope, yes, but it’s not because you’ve done something wrong. The key is effective preparation.

How and when to respond

One of your top-level concerns should be assembling the information that auditors will seek. This will help streamline the process and help you gauge your own readiness. If you are selected for an audit, OCR will supply you with instructions on exactly how to reply.

These instructions will also tell you when to respond, and that’s an equally important point. Only the information that you’ve submitted according to schedule will be evaluated, but that does not give you an advantage; we’ve seen evidence that being slow-to-respond can compound your difficulties if you are ultimately found to be out of compliance in a significant way.

With this in mind, take care to conduct all correspondence with OCR in a timely manner, adhering to the schedule that they set. Often it is appropriate to assign one individual to be responsible for these communications. Make sure your information is current as of the time of request, and don’t send data that OCR hasn’t asked for. As the audit process proceeds, be sure to make comprehensive records of all your correspondence.

Building the right team

In order to respond effectively to an audit, you’ll need the right team. That means security and privacy officials within your organization, relevant senior decision-makers, as well as your compliance officer, if you’ve designated one.

Your legal counsel, whether in-house or external, is another essential part of your OCR audit response team. Keep them up-to-date throughout the entire process, giving them access to all communications between your organization and OCR.

Within your organization, transparency and coordination between the relevant officials is absolutely key.

Speaking up

It’s important to be timely and helpful during your audit, but that doesn’t mean you should be shy or overly deferential. If OCR delivers a finding that you perceive to be inaccurate, you should speak up – OCR generally gives organizations the opportunity to respond to the issues they raise.

Of course, if you challenge OCR’s findings, you should be ready to back up your assertions with facts. Use documented evidence when possible and be able to justify your security and compliance strategy.

One crucial thing to remember about HIPAA is that you have some flexibility to meet many of its requirements in various ways, but you must be able to provide the rationale for your decisions. Recently, we discussed how organizations might employ various approaches to session timeouts to meet the HIPAA implementation specification for Automatic Logoff on devices with access to ePHI.

The next steps

When you communicate with OCR, be clear and deliberate. Craft your messages carefully, and provide the requested information in transparent detail – but avoid supplying arbitrary or superfluous data. Be timely in all of your responses, and ensure that you have a qualified and responsive team in place to handle the audit process.

What if your report identifies problems? In this case, you may be asked to undergo voluntary compliance activities, or possibly a more detailed review. For very serious issues, your organization may be required to take actions to correct your issues; in some cases, you may have to go through resolution agreements. In such situations, we recommend working with consultants and attorneys who have experience dealing with the OCR.

An audit is a nerve-wracking experience for many, but you can take steps to minimize both your risk and the disruption. If you’ve prepared properly and put strong compliance measures in place alongside a robust security program, you should have minimal or even no required follow-up activity after your report. With the right actions, you can get through the audit smoothly and focus your attention on helping patients.

More about

Don't miss