How to Respond to OCR Audit Requests

Eagle Associates has prepared an article and a short video, both of which provide instruction on responding to communications from OCR regarding the audit program. You can either read the article, or watch the video.  You do not need to view both, as the content is the same.  Contact our office at (800) 777-2337 if you have any questions regarding the audit process.

Watch the video:

Preparing for a HIPAA Audit


Read the text:

HIPAA Audit Notices

Many practices have received an email from the Office for Civil Rights (OCR) asking to verify the practice information and contact.  The notice indicates that the practice is being entered into a pool of potential auditees for the HIPAA Privacy, Security and Breach Notification audit program.

It is important for your practice to respond to the notice in the time frame specified.  Failure to respond will not protect you from being audited, as OCR has indicated that it will use publicly available information to obtain the data it needs.  Responding to the notice does NOT mean you have been selected for an audit.

Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, OCR expects you to check your junk or spam email folder for emails from OCR.

Once your contact information has been verified, you will receive an email to complete a screening questionnaire.  Again, it is very important for you to complete the questionnaire in the specified time frame.  As with responding to the contact notice, receiving a questionnaire does NOT mean you have been selected for an audit as of yet.

Notice Content

The content of the verification email from OCR is as follows:

“According to our records, you are the primary contact OCR should use to reach Associated Surgeons and Physicians regarding its potential inclusion in the HIPAA Privacy, Security, and Breach Notification Rules Audit Program. We are attempting to verify this email address.

Please respond within fourteen (14) days as instructed below to either confirm your identity and email address or instead provide updated primary and secondary contact information.

If you ARE the primary contact for this organization, please select the following link YES. Once the link is selected, a browser window will open and your response will be recorded.

If you ARE NOT the primary contact for this organization, please select the following link NO. Once the link is selected, a browser window will open and your response will be recorded.

Thank you for your cooperation. If we do not receive a response from you we will use this email address for future communications with this entity. Failure to respond will not shield your organization from selection.”

Screening Questionnaire

The screening questionnaire is intended to gather data about the size, types, and operations of potential auditees for the HIPAA Privacy, Security and Breach Notification Audit Program. The data will be used with other information to help OCR select entities that reflect a variety of types, sizes, and locations for the next phase of the Audit Program.

Audit Selection

Covered entities and business associates will be notified of their selection for an audit on a rolling basis.

Please be aware that if your entity is selected for an audit, you will have ten (10) business days to respond with the requested documentation.

Business Associates List

When selected for an audit, selected entities must submit a list of all current business associates, with up to date contact information, within the 10-day response period.  OCR will use this information to compile a list of potential business associate subjects to audit.  OCR encourages entities to develop the business associate listing in advance to be able to meet the submission requirements.  The business associate listing should be submitted as a spreadsheet with columns that contain the name of the entity, type of service(s) provided, primary and secondary contact names, titles, emails, phone numbers, address, and website, if any.

A template for the spreadsheet is available at this link.

Desk/On-Site Audits

If you are selected for an audit, OCR will either:

  1. conduct a focused desk audit (an OCR review of submitted documentation) to determine evidence of your compliance with selected provisions of the Rules; or
  2. conduct a comprehensive on-site review of your compliance with applicable requirements of the HIPAA Rules, or
  3. follow up a desk audit with an on-site audit.

The audit protocols, which contain criteria the auditors will use, are available for review at this link.

OCR will assess whether to open a separate compliance review in cases where an audit indicates serious compliance issues or where a covered entity or business associate fails to cooperate with an audit.

Preparing for a Potential Audit

There are four major elements to demonstrating that you have made a reasonable effort to comply with HIPAA requirements:

  • Ensure that you have written policies addressing all of the requirements listed in HIPAA’s Privacy, Security, and Breach Notification Rules.
  • Document a self-auditing or other process that will prove your policies have been implemented (i.e., they are followed by members of the workforce) and that you maintain them in accordance with published updates for each Rule.
  • Ensure that you have documented training (content and participation) for new hire and annual training with the Privacy, Security, and Breach Notification Rules.
  • Ensure that you have documentation of annual Security Risk Analysis as required by the Security Rule.

Resources Available from Eagle Associates

Eagle Associates provides a complete solution for ensuring compliance with HIPAA requirements.  Our HIPAA Compliance System includes:

  • A completely written HIPAA policy manual with a full complement of HIPAA forms– this is not a fill-in-the-blank workbook.  We update the policy manual each year to ensure compliance with changes in regulations and new interpretations.
  • Eagle Associates is currently reviewing the OCR Audit Protocol to determine whether any policy revisions are necessary in advance of the audits.
  • An annual audit plan tool is available for completion to provide proof of policy implementation and regulatory updates.
  • Clients enrolled in Eagle’s Management Consulting Program will have documentation using monthly compliance activities instead of the annual audit plan.
  • Training materials and documentation for new hire and annual training for workforce members.
  • The HIPAA Compliance System includes a complete Security Risk Analysis tool for your use, and is updated each year.
  • Eagle provides Live Support for subscribing clients– this provides unlimited support at no additional cost for a practice.  Clients can call or email as often as needed with questions, problems, or incidents.

If you already subscribe to the HIPAA Compliance System, you will be notified of any necessary policy revisions in the coming weeks.  Remember that the above-mentioned resources are available in the Member Services area of our web site.  In the front of your HIPAA Policy manual, there is instruction on how to log in to Member Services.

Please contact our office at (800) 777-2337 if you have any questions, or need assistance.