We recently posted a sample form used for management comment upon receipt of the initial  Notification of Findings and Recommendations (NFR) Report.  Here’s today’s big tip – View a sample Notification of Findings and Recommendations (NFR) Report!  Learn how OCR Audit Protocol is being used.


Notification of Findings and Recommendations Report  from OCR HIPAA Audits

meet the KMPG HIPAA audit ... hipaa security final rule audit controlsIf you have not yet been through an OCR HIPAA Audit, you may still have time to prepare.  In a single sentence in The HITECH Act at Section 13411, Congress mandated that the Secretary of HHS perform audits of Covered Entities and Business Associates to test compliance with the HIPAA Privacy and Security Rules and the HITECH Breach Notification Rule.

Management’s Initial Report from OCR HIPAA Audits

The organizations being audited with whom we have worked are presented with a detailed listing of all deficiencies found with details follows: Condition, Criteria, Cause, Effect and Recommendation.

Actions You Should Take Now to Prepare for OCR HIPAA Audits

We recommend that organizations who have not already done so complete some fundamental preparation activities which include, but are not limited to:

  1. Establish a formal Privacy and Security Risk Management & Governance Program (45 CFR § 164.308(a)(1))
  2. Complete a HIPAA Security Evaluation (45 CFR § 164.308(a)(8))
  3. Complete a Privacy Rule compliance assessment (45 CFR §164.530)
  4. Complete a Breach Rule compliance assessment (45 CFR §164.400)
  5. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
  6. Develop comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530, 45 CFR §164.316 and 45 CFR §164.414 )
  7. Document and act upon a corrective action plan

Please feel free to contact us to benefit from our expertise and help you jump-start your program.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater  HIPAA Audit Prep BootCamp™ series.

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Audit Tips – Sample Notification of Findings and Recommendations Form from OCR HIPAA AuditsHIPAA Audit Tips – Key Points from OCR Head 12-13-2012 Talk in Boston >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.