The Office for Civil Rights (OCR) Phase 2 Audits are definitely underway. In the past five days alone, we have had more than a dozen organizations contact us letting us know that they have received a formal pre-audit questionnaire from OCR. OCR designed the pre-audit questionnaire as a way to build its pool of potential covered entity and business associate auditees. A few covered entities that have received pre-audit questionnaires told us that they had reported breaches to OCR in 2015, and previous years, and were wondering if that may have put them on OCR’s radar. We’re not sure how OCR is choosing the entities to receive those pre-audit questionnaires, we just know there are plenty of them going out…and at a rapid pace.

What does this mean for you? If you have received a pre-audit questionnaire, you will be placed into the pool of potential auditees, thus, increasing your chances of being audited. If you’ve yet to receive one, don’t count yourself out, as OCR plans on sending out pre-audit questionnaires on a continuous rolling basis.

Unlike the Phase 1 audits, gone are the days of OCR simply ‘inquiring’ whether a policy and procedure is in place.  As discussed in an earlier blog post, the current audit protocol takes a more granular look at the regulations and is comprised of further in-depth inquiries and documentation review. Additionally, to assist in OCR’s in gathering possible business associates auditees, OCR asks that chosen covered entities prepare a list of its business associates. It is from this data that OCR will create its pool of business associates auditees.

On top of the current audit protocol’s greater coverage of the regulations, any organization chosen to be audited will have only ten (10) business days to respond to OCR’s audit notification letter. There will be no extensions to this deadline – stressing the importance of having a robust HIPAA compliance program in place.

Have you received a pre-audit questionnaire? Are you wondering how you would fare in the event of an OCR audit? Are you confident that you could respond to OCR within 10 business days of receiving an OCR notification letter?

If you’re wondering how your organization would do if OCR came knocking on your door, Clearwater Compliance can provide valuable assistance with a range of services:

  • Clearwater’s 10-Point Strategic HIPAA Compliance Assessment™ provides a high-level assessment of the effectiveness of your organization’s HIPAA compliance program by assessing ten key compliance areas of your program, based on OCR’s enforcement actions.
  • Clearwater’s HIPAA Mock Audit will engage your organization in mock audit scenarios that you might experience if selected as an auditee in the Phase 2 audits. You’ll be prepared by learning the type of documentation and information is being sought by OCR, the status of your program documentation and how to respond effectively.
  • In the event you are selected by OCR to be audited, Clearwater offers Audit Response Support Services that provide your organization with fully-credentialed and experienced consultants to assist your organization to respond to OCR effectively and efficiently.

Contact Clearwater to learn more!