Attendees at HCCA’s 16th Annual Compliance Institute, April 29 – May 2, 2012 were treated to a look behind the curtains at the so-called “OCR Random Audit Documentation Request List”. As a reminder, the mandated audits are brought to you by The HITECH Act at Section 13411. These audits represent yet again another arrow in the quiver of enforcement tools being used to boost compliance with the long-ignored HIPAA Privacy and Security Rules. Here’s today’s big tip – The “OCR Random Audit Documentation Request List” is helpful, but not a panacea… learn why…
KPMG / OCR Audits Include an OCR Random Audit Documentation Request List … good insight into what to expect…
In our last HIPAA Audit Tips post entitled “Lessons from CMS’ 2008 Compliance Reviews”, we discussed how CMS performed reviews of ten Covered Entities (CEs) to verify compliance with “Security Standards for the Protection of Electronic Protected Health Information (ePHI).” The HITECH-mandated audits are broader and cover the Privacy Rule and Breach Notification Rules, in addition to the Security Rule.
There is much discussion underway about the OCR / KPMG audits. Checklists and tips, tools and tricks abound. Our followers know that we believe that the only and best checklists are the regulations themselves. We applaud the release of this “OCR Random Audit Documentation Request List“. Organizations will benefit by the look behind the curtain. One might even ask, “why did it take this long?” to provide this type of guidance.
We encourage readers to proceed with caution and not treat this request list as sufficient preparation for an audit. Here’s why:
- “Mileage will vary” – these compliance audits are new and even though KPMG has a defined request list and audit protocols, different auditors will respond to documentation reviews in different ways. They’ll likely ask for more.
- “Tank is less than eighth full” – the documentation request list is a brief three pages long. Together, the Privacy, Security and Breach Notification Rules exceed 100 pages and comprise dozens of Standards and many more Implementation Specifications. There’s a lot more to be covered.
- “May be some water in the tank” – upon careful examination, we found some cases of what might be considered both “hypo-vigilance” or “hyper-vigilance” or “misunderstanding”.
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
- Join our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Follow me: http://www.twitter.com/ClearwaterHIPAA
- Subscribe to our eNewsletter: https://clearwatercompliance.com/newsletters/
- Attend a HIPAA HITECH live webinar: https://clearwatercompliance.com/live-educational-webinars
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016