HIPAA For MSPs OCR Desktop Audit Details
00:00:00 00:00:00

On Wednesday, July 13, selected CEs were invited to a webinar. The staff walked through the processes that the CEs could expect for the OCR desktop audit and the expectations for their participation. The following Q&As are not just important for the selected CEs. They are important for everyone because you can be selected for an audit at any time. The OCR also requested the CEs to send them a list of their BAs, so you business associates aren’t out of the woods either.

OCR Desktop Audit FAQs

  • Can we delete things we uploaded already?
    • No, once an entity selects the “review and submit” button, you can not return to the system to delete and
      replace files that were previously uploaded.
  • If I uploaded documents in incorrect area – how do I remove them?
    • If the entity has already selected the “review and submit” button, it cannot go back and delete a previously uploaded file. Therefore, it will need to provide an explanation in the comment section. If the entity has not yet clicked the submit button, it can replace the wrong file with a new file.OCR desktop audit
  • If a practice sends/uploads the wrong information, will the OCR go back to the practice to clarify what they were looking for?
    • No. We will rely only on the submitted documentation.
  • Can policies that have been in process for 3 plus months be included even though they have not yet cleared the final approval step?
    • Where entities are asked to provide documentation for a specified time period (e.g., current, previous calendar year, 6 years ago) they should submit documentation that reflects what is in place and in use in the time frame specified.
  • Can we get the list of the other entities selected?
    • Simply, no.
  • We had five HIPAA incidents (assumed breaches) in 2015. However, if we determined after an analysis that notification was not required for all breaches in 2015, would you like us to provide a notification from 2014?
    • We are asking for documentation for breaches for which notification was provided. If you did not have a sufficient number for 2015 to meet the request, please add incidents from previous years until you reach 5
      total.

Also, there is a 10mb limit per file.

If you have any other questions, you can contact the audit Program Manager, Zinethia Clemmons at Zinethia.Clemmons@hhs.gov.