The OCR announces a new round of HIPAA audits! Are you ready?

Hipaa regulations manual with patient documents. All labels and/or documents are fictitious. Names, serial numbers, and/or dates, are random and any resemblance to actual products is purely cooincidental.

Margaret ScavottoBy Margaret Scavotto, JD, CHC
Director of Compliance Services
Management Performance Associates

On March 21, 2016, the OCR announced that it has launched its second round of HIPAA compliance audits.

This round of audits will target covered entities and business associates, and will review policies and procedures for compliance with the Privacy, Security, and Breach Notification Rules. Most audits will be “desk audits” (completed without an on-site visit from the OCR); however, the OCR will conduct 3-5 day on-site audits as its election.

What to expect

Keep an eye out for an email from the OCR verifying your contact information. If you get this email, you will need to respond within 14 days – and you might become part of the audit pool. The OCR has made it clear that it expects covered entities and business associates to check their junk/spam folders in order to avoid missing this email.

If you are selected for an audit, the OCR will send you a document request. Covered entities and business associates should be prepared to produce their HIPAA Privacy, Security, and Breach Notification policies and procedures, as well as their Security Risk Assessment, training records, and other required HIPAA documentation, within ten business days. Then, the OCR will prepare draft findings, and audit subjects will have 10 business days to respond to these findings. The OCR will then produce a final report within 30 business days.

The main purpose of the OCR audits is compliance improvement. However, covered entities and business associates should be prepared for an investigation if the audit discovers noncompliance. With two multi-million penalties issued last week, covered entities and business associates have every motivation to prepare themselves for a good audit.

Are you ready for an audit?

Whether you are selected for an audit, or experience the inevitable data breach that leads to an OCR investigation, enforcement stakes are high. This makes your HIPAA compliance plan a high priority. Are you ready to produce your Privacy policies and procedures within 10 days? Are you confident that your policies and procedures are up-to-date, customized for your organization, and fully implemented? What about Security policies and procedures, and your risk assessment? Have these been reviewed and updated recently? Can you verify that business associate agreements are in place with all business associates? Can you produce Breach Notification policies, and documentation of analysis of potential breaches?

For more information on this phase of OCR audits, click here.

[clickToTweet tweet=”The OCR announces a new round of HIPAA audits! Are you ready? @mpaCompliance” quote=”The OCR announces a new round of HIPAA audits! Are you ready?” theme=”style3″]


  1. I think the announcement and movement forward by HHS-OCR is going to be like an alarm clock going off. Some people will hear it and it will serve as a genuine prompt into action, whatever action that may be…or it may result in some folks hitting the snooze button so that they can drift back into their previous state of when before the alarm clock sounded.

    Let’s also be fair and understand that there are some organizations that could serve as models of HIPAA compliance, so hitting the snooze button and drifting back into their current state is not necessarily a bad thing.

Comments are closed.