This entry is part 17 of 27 in the series HIPAA Audit Tips

We recently posted a sample form used for management comment upon receipt of the initial  Notification of Findings and Recommendations (NFR) Report.  Here’s today’s big tip – View a sample Notification of Findings and Recommendations (NFR) Report!  Learn how OCR Audit Protocol is being used.


Notification of Findings and Recommendations Report  from OCR HIPAA Audits

meet the KMPG HIPAA audit ... hipaa security final rule audit controlsIf you have not yet been through an OCR HIPAA Audit, you may still have time to prepare.  In a single sentence in The HITECH Act at Section 13411, Congress mandated that the Secretary of HHS perform audits of Covered Entities and Business Associates to test compliance with the HIPAA Privacy and Security Rules and the HITECH Breach Notification Rule.

Management’s Initial Report from OCR HIPAA Audits

The organizations being audited with whom we have worked are presented with a detailed listing of all deficiencies found with details follows: Condition, Criteria, Cause, Effect and Recommendation.

Actions You Should Take Now to Prepare for OCR HIPAA Audits

We recommend that organizations who have not already done so complete some fundamental preparation activities which include, but are not limited to:

  1. Establish a formal Privacy and Security Risk Management & Governance Program (45 CFR § 164.308(a)(1))
  2. Complete a HIPAA Security Evaluation (45 CFR § 164.308(a)(8))
  3. Complete a Privacy Rule compliance assessment (45 CFR §164.530)
  4. Complete a Breach Rule compliance assessment (45 CFR §164.400)
  5. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
  6. Develop comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530, 45 CFR §164.316 and 45 CFR §164.414 )
  7. Document and act upon a corrective action plan

Please feel free to contact us to benefit from our expertise and help you jump-start your program.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater  HIPAA Audit Prep BootCamp™ series.

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Audit Tips – Sample Notification of Findings and Recommendations Form from OCR HIPAA AuditsHIPAA Audit Tips – Key Points from OCR Head 12-13-2012 Talk in Boston >>

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.