During the NIST OCR HIPAA Security Conference we covered in the last two episodes, there was also a session on OCR Audit Updates. OCR gave an update on the information gleaned so far from the compliance desk audits that were started in 2016. Their presentation included some interesting details. Today we cover the information they shared so you can compare and contrast those details against your own program.

HIPAA For MSPs by J. David Sims OCR Audit Updates Phase 2
00:00:00 00:00:00

OCR Audit Updates Phase 2

The intent of the audits is to create better tools and guidance to help covered entities and business associates protect patient health information.  This first update includes the summary information concerning the CE audits.  The BA audits are still under review so we only have a few details on their audits.  The on-site audits were mentioned as still on the table for discussion but they have no specific dates or a timeline.

Business associates that were audited were largely selected from a list of over 20,000 entities identified by the audited 166 covered entities.  The vast majority of those covered entities were providers at 90% of ones audited.  Lack of response to the audits will not get you excluded from future audit activities and definitely don’t ignore them if you want them to work with you on issues.

The audit process includes a review of the documentation you send them.  Then, they provide a report for you to see their findings.  You do get the option of adding a written response to the findings but that does not equal a change to the audit findings, just an additional note to them.  They also make it clear that if they find serious issues they will handle them accordingly.

Under OCR’s separate, broad authority to open compliance reviews, OCR could decide to open a separate compliance review in a circumstance where significant threats to the privacy and security of PHI are revealed through the audit.

Audits included very specific requests.  Each covered entity either received a request for information relating to the Privacy and Breach Notification Rules or the Security Rule.  Business associates were asked to provide documentation relating to the Breach Notification and Security Rules.  We did discuss all of the published requirements last year when the audits first came out but that has been a while.  Below is the list of documentation requested on the Privacy and Breach Notification Rule audits:

  • Notice of Privacy Practices
    • Copy of all notices including URL of notice posted on the entity web site, electronic notice policy and procedures
  • Right to Access
    • Access requests, extensions to access requests, access requests templates/forms, NOPP, access policies and procedures
  • Timeliness of Notification
    • Documentation for five small and large breaches incidents
  • Content of Notification
    • Five large breach incidents, breach template/form, copy of a single written notice

The documentation requested on the Security Rule audits was focused only on the Risk Analysis and Risk Management elements of the rule.  That doesn’t mean it was easy by any means because those two elements are fill of documentation requirements all by themselves.

Risk Analysis

  • Current and prior risk analysis and results
  • Policies and procedures of the risk analysis process
  • Policies and procedures related to the implementation of risk analysis 6 years prior to the date of audit notification
  • Documentation from the previous year demonstrating implementation of risk analysis process, how it is available to persons responsible for process and evidence the documentation is periodically reviewed and updated, as needed


Risk Management

  • Documentation demonstrating the security measures implemented to reduce risks as a result of the current risk analysis or assessment
  • Documentation demonstrating the efforts used to manage risks from the previous calendar year
  • Policies and procedures of the risk management process
  • Policies and procedures related to the implementation of risk management for the prior 6 years of the date of audit notification
  • Documentation demonstrating the current and ongoing risks reviewed and updated
  • Documentation from the previous year demonstrating implementation of the risk management process, how it is available to persons responsible for the risk management process and evidence the documentation is periodically reviewed and updated, as needed

Compliance Effort Ratings

Most interesting to us were the new Compliance Effort Ratings they used to grade the audits.  It provided some of the best definitions of what is an acceptable effort for a compliance program that I have ever seen.  The rating system scores from 1 to 5 like a round of golf, the lower the better.

Rating Description
1 The audit results indicate the entity is in compliance with both goals and objectives of the selected standards and implementation specifications.
2 The audit results indicate that the entity substantially meets criteria; it maintains appropriate policies and procedures, and documentation and other evidence of implementation meet requirements.
3 Audit results indicate entity efforts minimally address audited requirements; analysis indicates that entity has made attempts to comply, but the implementation is inadequate, or some efforts indicate a misunderstanding of requirements.
4 Audit results indicate the entity made negligible efforts to comply with the audited requirements – e.g. policies and procedures submitted for review are copied directly from an association template; evidence of training is poorly documented and generic.
5 The entity did not provide OCR with evidence of serious attempt to comply with the Rules and enable individual rights with regard to PHI.

OCR Audit Updates


There really isn’t a lot of news in the details included in these OCR audit updates.  At least for us, they don’t show many things that we didn’t already see in our day to day operations.  However, we see the new Compliance Rating System is a great tool.  We are really looking forward to the next round of OCR audit updates that should include more information on the compliance efforts of the business associates that were audited.