Steps to Prepare for an OCR HIPAA Audit

We’re often asked when helping clients with their HIPAA compliance, “What do we do if we’re audited [by the OCR]?”  It is analogous to the old adage about buying a home; location, location, location.  In the HIPAA world, it’s document, document, document!

You must record your HIPAA compliance efforts, regularly contributing to the “body of evidence” that your practice is on the compliance path and making improvements.  Conversely, if you aren’t documenting your efforts and you receive an audit notice, it’s too late to do anything.  You’re up the creek without a paddle!

Being Prepared:

Here are some practical steps to document your HIPAA compliance progress and build your body of evidence.

1. Perform your annual Security Risk Assessment and document the results.  I recommend using an independent 3rd party as the results are unbiased, faster and cheaper than attempting a self assessment.  If your practice’s revenue is over $5 million annually, you must use a 3rd party.
2. Appoint a HIPAA Compliance (privacy and/or security) Officer with a documented job description that is trained and ready to respond.  (A HIPAA response team is a good idea.)
3. Provide and document HIPAA training to your staff that reflects job responsibilities and current regulations.
4. Adopt HIPAA policies and procedures that reflect how your practice does business and written such that they can be easily read, understood and acted upon.
5. Have Business Associates sign a current Business Associate Agreement (BAA) and confirm they are protecting PHI per the BAA and HIPAA regulations.
6. Document your remediation activities addressing the deficiencies identified in your annual risk assessment.

Responding:

1. Follow the instructions they provide and RESPOND.  Don’t ignore the request, the OCR will not just go away.  Send only what they request and don’t send more.  If they ask for a specific policy and procedures, send just that one, not the entire set.
2. Here is where your body of evidence pays off.  You will be requested to send proof of:
   • privacy practices
   • your most recent Security Risk Assessment
   • specific policies and procedures implemented including Risk Management Plan
   • security incident records
   • remediation activities taken to better secure your practice’s ePHI
3. Do not submit information that is not relevant to your HIPAA compliance.
4. Be punctual! If you send in your information late, the OCR may consider your tardiness during the audit process.  This is NOT a good way to start an audit.
5. Remember, you have to submit your information in digital format, so compile your report in a logical, easy to review format.

Take our HIPAA Quick-Check to check how prepared you are.

Start now and be prepared. Protect your patients, protect your practice, protect yourself.