Attendees at HCCA’s 16th Annual Compliance Institute, April 29 – May 2, 2012 were treated to a look behind the curtains at the so-called “OCR Random Audit Documentation Request List”.   As a reminder, the mandated audits are brought to you by The HITECH Act at Section 13411.  These audits represent yet again another arrow in the quiver of enforcement tools being used to boost compliance with the long-ignored HIPAA Privacy and Security Rules.  Here’s today’s big tip – The “OCR Random Audit Documentation Request List” is helpful, but not a panacea… learn why…


KPMG / OCR Audits Include an OCR Random Audit Documentation Request List … good insight into what to expect…

In our last HIPAA Audit Tips post entitled “Lessons from CMS’ 2008 Compliance Reviews”, we discussed how CMS performed reviews of ten Covered Entities (CEs) to verify compliance with “Security Standards for the Protection of Electronic Protected Health Information (ePHI).”   The HITECH-mandated audits are broader and cover the Privacy Rule and Breach Notification Rules, in addition to the Security Rule.

There is much discussion underway about the OCR / KPMG audits.  Checklists and tips, tools and tricks abound.  Our followers know that we believe that the only and best checklists are the regulations themselves.   We applaud the release of this “OCR Random Audit Documentation Request List“.  Organizations will benefit by the look behind the curtain.  One might even ask, “why did it take this long?” to provide this type of guidance.

Fuel indication blackWe encourage readers to proceed with caution and not treat this request list as sufficient preparation for an audit.  Here’s why:

  1.  “Mileage will vary” – these compliance audits are new and even though KPMG has a defined request list and audit protocols, different auditors will respond to documentation reviews in different ways.  They’ll likely ask for more.
  2. “Tank is less than eighth full” –  the documentation request list is a brief three pages long.  Together, the Privacy, Security and Breach Notification Rules exceed 100 pages and comprise dozens of Standards and many more Implementation Specifications.  There’s a lot more to be covered.
  3. “May be some water in the tank” – upon careful examination, we found some cases of what might be considered both “hypo-vigilance” or “hyper-vigilance” or “misunderstanding”.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater  HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Series Navigation<< HIPAA Audit Tips – Lessons from CMS’ 2008 Compliance ReviewsHIPAA Audit Tips – Compliance Lessons Learned for HIPAAtites from Financial Services >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.