This entry is part 5 of 27 in the series HIPAA Audit Tips

Attendees at HCCA’s 16th Annual Compliance Institute, April 29 – May 2, 2012 were treated to a look behind the curtains at the so-called “OCR Random Audit Documentation Request List”.   As a reminder, the mandated audits are brought to you by The HITECH Act at Section 13411.  These audits represent yet again another arrow in the quiver of enforcement tools being used to boost compliance with the long-ignored HIPAA Privacy and Security Rules.  Here’s today’s big tip – The “OCR Random Audit Documentation Request List” is helpful, but not a panacea… learn why…

KPMG / OCR Audits Include an OCR Random Audit Documentation Request List … good insight into what to expect…

In our last HIPAA Audit Tips post entitled “Lessons from CMS’ 2008 Compliance Reviews”, we discussed how CMS performed reviews of ten Covered Entities (CEs) to verify compliance with “Security Standards for the Protection of Electronic Protected Health Information (ePHI).”   The HITECH-mandated audits are broader and cover the Privacy Rule and Breach Notification Rules, in addition to the Security Rule.

There is much discussion underway about the OCR / KPMG audits.  Checklists and tips, tools and tricks abound.  Our followers know that we believe that the only and best checklists are the regulations themselves.   We applaud the release of this “OCR Random Audit Documentation Request List“.  Organizations will benefit by the look behind the curtain.  One might even ask, “why did it take this long?” to provide this type of guidance.

Fuel indication blackWe encourage readers to proceed with caution and not treat this request list as sufficient preparation for an audit.  Here’s why:

  1.  “Mileage will vary” – these compliance audits are new and even though KPMG has a defined request list and audit protocols, different auditors will respond to documentation reviews in different ways.  They’ll likely ask for more.
  2. “Tank is less than eighth full” –  the documentation request list is a brief three pages long.  Together, the Privacy, Security and Breach Notification Rules exceed 100 pages and comprise dozens of Standards and many more Implementation Specifications.  There’s a lot more to be covered.
  3. “May be some water in the tank” – upon careful examination, we found some cases of what might be considered both “hypo-vigilance” or “hyper-vigilance” or “misunderstanding”.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater  HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Series Navigation<< HIPAA Audit Tips – Lessons from CMS’ 2008 Compliance ReviewsHIPAA Audit Tips – Compliance Lessons Learned for HIPAAtites from Financial Services >>

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.