The time to prepare for an audit is before you have been selected. But, if you’ve already been selected we can still get you ready.
Now is the time to prepare, knowing that you might be called on at some point to show evidence of compliance. Keep in mind, audits are NOT enforcement actions.
What’s the goal of an OCR audit?
The stated goal of the OCR audit program is to gauge overall HIPAA compliance across a wide variety of covered entities and business associates. The data will be used by HHS to assess the overall health of information security in the industry and to identify where additional outreach or education might be necessary. If you are notified that your organization has been chosen for an OCR audit, the following provides guidelines as to what you will want to do.
If You Are Chosen for an OCR Audit, Mobilize!
Assemble your team. The team should include your privacy and security officials and your organization’s compliance officer (if you have one). It’s also a good idea to notify your internal and/or external legal counsel so they can be kept apprised of all requests from the OCR and responses provided by you to the OCR. Keep your counsel on standby to provide you with guidance if necessary.
Respond completely and in a timely fashion. If you are notified that you have been selected for an audit, you will also get instructions on how and when to reply. There is documented evidence that being unresponsive will only make things worse for you if the OCR uncovers significant findings of non-compliance. Make sure you keep thorough records of all transactions during the audit process, and it’s a good idea to appoint one person to be in charge of all audit-related correspondence.
A few additional guidance points from the OCR include:
- Only requested data submitted on time will be assessed.
- All documentation must be current as of the date of the request.
- If yours is a desk audit, auditors will not have the opportunity to contact you for clarification or to request additional information, so it is critical that your documents adequately reflect the program.
- Do not submit extraneous information as it will increase the difficulty for the auditor to assess required items.
- Failure to submit responses to requests may lead to referral for regional compliance review.
Craft responses carefully and don’t be bashful about questioning findings that you believe to be inaccurate. Historically, the OCR has allowed organizations to respond to identified issues. Be prepared to justify your position with facts and to explain your rationale for decisions you have made about your compliance and security strategy. There are many areas where HIPAA’s lack of specific direction works in your favor, assuming you can demonstrate a thoughtful and reasonable approach to complying with all of the standards. Hopefully, your OCR audit will go smoothly. If you have done a good job addressing compliance standards and building out your security program, the report will require little or no follow up. If not, you may be subject to voluntary compliance activities or to a more in-depth compliance review. Compliance reviews that identify significant issues may require additional corrective action or may lead to resolution agreements. In these cases, it’s advisable to engage attorneys and consultants who are well-versed in working with the OCR.
If your OCR audit is part of the ongoing OCR audit program, be aware that the purpose of the random audits is to gauge the compliance of the larger population. Not just you. The OCR has been charged with educating and equipping organizations with compliance strategies, and part of that mission necessarily includes a certain number of audits to find out how organizations are performing.