Steps to Take to Prepare for an OCR Audit

All covered entities and business associates should be prepared for an audit by HHS. Covered entities and business associates should review their privacy, security and breach notification policies and practices. In particular, they should confirm their compliance with the following HIPAA requirements:

Notice of Privacy Practices.
Organizations must provide printed copies of the organization’s current privacy notice to patients and make this notice available on the organization’s website. These notices must include their effective date as well as:

  • How the organization may use and disclose protected health information (PHI);
  • The patient’s rights with respect to PHI and how the patient may exercise these rights, including how the patient may complain to the organization;
  • The organization’s legal duties with respect to PHI, including a statement that the covered entity is required by law to maintain the privacy of PHI; and
  • A contact for further information about the organization’s privacy policies.

Written HIPAA policies, procedures and documentation.
An organization’s HIPAA policies and procedures should conform with the administrative, technical and physical safeguards promulgated by HHS and should identify any risks or vulnerabilities in the organization’s collection, storage or use of PHI. The organization should implement safeguards for all paper, electronic and verbal PHI, including PHI on mobile devices and storage media.

OCR has reviewed covered entities’ HIPAA documents as part of the audit.  As such, covered entities should evaluate their HIPAA policies and procedures and verify that the documentation is organized and current.  Covered entities must ensure that their policies and procedures are in final form, i.e., no “track changes” and are easily accessible.  In addition, you should review your organization’s complaint logs, investigation work papers, corrective action plans, training materials, and training attendance logs and ensure that records are complete and fully reflect the organization’s efforts to be HIPAA compliant.

Risk Assessment.
Organizations should both conduct risk assessments and promptly implement appropriate security measures to address any identified risks. These assessments should include, at a minimum, an evaluation of the likelihood and impact of potential risks to PHI, documentation of the organization’s security 3 measures and, where required, the rationale for adopting such measures. Organizations must also conduct periodic follow-up security risk assessments to identify, address and document any deficiencies so as to maintain continuous, reasonable and appropriate security protections. And in light of HHS’s new guidance on ransomware (discussed below), organizations should include the threat posed by ransomware attacks in their security assessments.

Identify all Business Associates.  
OCR’s initial announcement of its audit plans indicated that both covered entities and business associates will be subject for review.  However, OCR later announced that the audits will focus on covered entities and business associates will be included in future audits.  Therefore, given the complexity of business associates, covered entities are strongly encouraged “to get a handle” on their business associates sooner rather than later.  Organizations should identify their business associates and review written agreements to ensure that HIPAA compliant requirements are included in the business associates’ contracts.  Further, organizations should periodically assess and document business associates compliance with the HIPAA Privacy and Security Rules.

Breach Procedures.
Organizations must implement notification policies and procedures that conform to HIPAA requirements for breaches of unprotected PHI (including HHS guidelines for breaches affecting 500 or more individuals). Organizations should conduct training for new employees and ongoing training for all staff on how to appropriately respond to a security breach.

Source :,