OCR Phase 2 Audits Have Begun ... Are You Prepared?

Published on

As of Monday, July 11, sites began receiving audit notices, and given 10 days to respond. These audits will examine each entities’ compliance with the HIPAA Privacy, Breach and Security Rules. OCR officially sent out 167 notices to health care providers, including at least one hospital site that we’ve been communicating with. Notifications to business associates will begin in the fall.

NOTE: If your entity’s spam filtering and virus protection are automatically enabled, they expect you to check your junk or spam email folder for emails from OSOCRAudit@hhs.gov.

In actuality the audit is very limited. Of the hundreds of documents that could have been required to produce, only a handful were actually requested. While we believe this is all this hospital will receive, perhaps more e-mails with document requests will come. We recommend that all sites confirm they can produce the same set of documents that OCR requested in this instance, namely:

Requirements Selected for Desk Audit Review

Privacy Rule:

  • Notice of Privacy Practices & Content Requirements [§164.520(a)(1) & (b)(1)]
  • Provision of Notice – Electronic Notice [§164.520©(3)]
  • Right to Access [§164.524(a)(1), (b)(1), (b)(2), ©(2), ©(3), ©(4), (d)(1), (d)(3)]

Breach Notification Rule:

  • Timeliness of Notification [§164.404(b)]
  • Content of Notification [§164.404©(1)]
  • Security Rule:
  • Security Management Process – Risk Analysis [§164.308(a)(1)(ii)(A)]
  • Security Management Process – Risk Management [§164.308(a)(1)(ii)(B)]

CompliancePro Solutions has put together a detailed list of those actual documents requested from the OCR audit as well as a list of ALL documents that OCR could require in a full audit. A list for the Privacy, Breach and Security protocols have been completed.

PrivacyPro customers can find these documents, along with notes on how to use them, in the “Enforcements and Audits” folder of the PrivacyPro Customer Library: Request and Notice of Audit OCR Audit Phase 2 OCR Phase 2 Audit Questions / Requests Phase 2 OCR Audit Protocols Checklist of Documents to Produce - Excel Version Phase 2 OCR Audit Protocols Checklist of Documents to Produce - Word Version All non-customers interested in these documents should contact us via email or submit a request from our website to obtain them.

CompliancePro Solutions stays on top of the latest in OCR HIPAA activities. If you have any questions about the OCR audits or the referenced documents above, or would like more information about how our PrivacyPro software, extensive Reference Library and HIPAA expertise can help you manage your privacy and security compliance in a cost effective manner, please contact Kelly at kmclendon@complianceprosolutions.com.