OCR HIPAA Audits Are Coming. Are You Prepared?

Written by Kristina Sink on Wednesday, May 20th 2015 — Categories: HIPAA Compliance

Healthcare Audit

The Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules.After years of testing and delays, the second round of HIPAA audits are finally materializing, and are expected to be more comprehensive while focusing on the real-world application of policies and procedures across the entire organization and their business associates (BAs).

This program puts to the test the processes, control, and policies of covered entities (CEs) and BAs in accordance with the HITECH Act audit mandate. The OCR has published its entire audit protocol on their website, which completely outlines the procedures auditors must follow when conducting a program audit, making it easier to prepare.

Is your health organization ready for the OCR auditor?



This audit is not graded on a curve; you either pass or you fail. Failing the audit can be detrimental to your business. The OCR website lists many failed audits and the associated fines, anywhere from hundreds to millions of dollars. You do not want to find your organization on that list.



1. Read through the entire audit protocol

Know what will be on the test. Familiarize yourself with the expectations, and determine which areas may need some work. Identify any gaps your organization may have, update documents as needed, and don’t forget to give your staff a refresher course on HIPAA policies and procedures.

2. Get your BAs on board

Hopefully, you already have a thorough list of your organization’s BAs and the services that they provide to you; however, if no such list exists, it is a good idea to assemble one to ensure you have an adequate sense of their compliance operations. Make sure that all your Business Associates Agreements (BAAs) for each BA are up-to-date, and ask the BAs for a list of all of their subcontractors. BAs will need to focus on risk analysis and management, along with their specific policy procedures for breach notification to the CEs that they serve.

3. Internal self-assessment

Conduct an internal risk assessment focusing on security, privacy, and breach notifications.  In regards to security, concentrate on device encryption, media controls, and data transmission security protocols. Privacy includes such elements as safeguards, staff training, and daily practice of HIPAA policies and procedures. Breach notifications must contain various elements that will inform those affected of what happened, the types of unsecured protected health information that was involved, further steps that should be taken, investigation details, and contact procedures for those wanting further information.



No one, whether a CE or a BA, is exempt from a potential OCR audit, and surprises are never fun when exams are involved. Do yourself and your organization a favor by preparing in advance. 

Chat Now