Once the OCR representative completes an onsite audit, they will analyze the findings and results to determine the next step to take.
Depending on the results, the OCR may:

  • Provide suggested actions an organization should take to maintain or improve its compliance with HIPAA regulations, and to prevent potential breaches in the future.
  • Develop tools and guidance protocol to increase an organization’s ability to self-assess compliance issues.
  • Levy penalties and sanctions against the organization, depending on the level of negligence and severity of discovered protocol breaches.

Preparing for the Post-Audit Stage:
After HIPAA audit, you really only two options: comply with the OCR’s suggestions, or face the consequences of being deemed negligent.
First, take the suggestions made by the auditor seriously. Take the advice given to you as a mandate, not a suggestion. As soon as you receive the final report, start making the necessary changes to your policies and procedures to ensure you’re doing what needs to be done to improve your organization in the eyes of the OCR.
After you’ve made the proper changes to your immediate circumstances, begin planning to implement strategies to:

  • Assess your organization’s operations objectively
  • Detect warning signs of a breach as soon as possible
  • Proactively amend policies and procedures before a breach occurs in the future

The OCR is more likely than ever to penalize organizations due to negligence and major breaches of HIPAA. However, organizations that can prove they’re working toward compliance will be less likely to face sanctions than those that have been completely negligent. In other words, the more honest you are about the challenges your organization has faced in becoming HIPAA compliant, the more likely the OCR is to help you – rather than punish you.

Source :