How to prepare for an OCR HIPAA audit proactively

March 30, 2021

Updated July 2023

Proactively strengthening your privacy and compliance program will help you maintain control over patient data and avoid compliance headaches. Find out how to prepare for an OCR audit in this post.

You should start preparing for an OCR HIPAA audit long before the notification letter hits your mailbox.

An auditor can easily detect a lack of preparation, making it essential for healthcare providers to take a proactive approach to HIPAA and OCR compliance. Proactively strengthening your privacy and compliance program will help you maintain control of your patient data and avoid costly and time consuming compliance headaches.

What is an OCR audit?

The Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS) launched its Phase 2 HIPAA Audit Program in 2016. An OCR audit is a compliance tool used to enforce the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

An OCR HIPPA audit is used to assess the controls, policies, and processes organizations use to maintain OCR compliance, and safeguard protected health information (PHI). When selected for an audit, organizations will be asked to provide data and documents relating to compliance with each HIPAA rule through a secure portal. These documents are specified when organizations are notified of the audit.

If an entity is determined to be noncompliant, they will be penalized. These penalties vary in cost and severity depending upon the organization’s level of culpability. This is determined by factors such as whether the OCR HIPAA violations were caused unintentionally and unknowingly, or with knowing and willful disregard for regulations.

When can the OCR audit you?

The OCR can audit any covered entity at any time. An OCR HIPAA audit can be assigned at random, or may occur in response to a patient compliant, an internal whistleblower, or a data breach. As there is no way to predict if or when your organization may be selected for an audit, you should prepare in advance, just in case.

What is the purpose of an OCR audit?

The OCR uses the HIPAA audit program to assess the compliance of a range of covered entities. As stated by the HHS, “The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches.”

The standards of compliance will continue to rise as care providers continue to evolve. Instead of viewing HIPAA OCR audits as a burden, however, care providers can approach them as an opportunity to lay a foundation of compliance – a foundation upon which they can grow when adopting new tools, technologies, personnel, and workflows. If not proactively prepared for an audit, the penalties for noncompliance can be burdensome.

What are the most common OCR HIPAA violations?

Before you can craft a holistic OCR compliance strategy, you should first understand the HHS definition of a HIPAA breach and the violations that commonly trigger penalties. Essentially, the HIPAA Privacy Rule requires healthcare providers to protect and maintain any PHI. It also sets limits and conditions on how PHI can be used and disclosed in the absence of patient authorization. The Privacy Rule gives patients the right to view their health information and medical records, as well as request corrections.

A HIPAA breach is defined as the acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted by HIPAA; the activity must pose a significant risk of harm to the affected individual, whether it’s financial, reputational, or other damages.

Under the HIPAA Breach Notification Rule, covered entities and business associates are required to notify affected individuals in the event that unsecured PHI is breached. Some of the most common HIPAA violations that can result in substantial fines are:

  1. Database breaches
  2. Employees disclosing information
  3. Mishandling of medical records
  4. Lost or stolen devices
  5. Lack of training
  6. Failure to encrypt PHI on portable devices
  7. Failure to perform an organization-wide risk analysis
  8. Employees legally accessing patient files
  9. Third-party disclosure of PHI
  10. Improper disposal of PHI

But the threat landscape is even broader than this list. Today, a multitude of advanced threats can result in a HIPAA violation or breach, and therefore fines and settlements – including for drug diversion, cybersecurity attacks, insider threats, fraud, and identity theft.

Costs for non-compliance with HIPAA

The cost of OCR HIPPA violations varies according to the type of violation, the knowledge and intent behind the violation, the scope and degree of harm caused, and if action was taken to correct the issue. There are civil penalties and criminal penalties, depending on whether a criminal provision of HIPAA was violated.

As of January 2023, civil penalties begin at $127 per violation in cases where the violation occurred without knowledge or intent, and where reasonable diligence would not have caught or prevented the violation. Civil penalties increase on a case by case basis, up to $50,000 for violations resulting from willful neglect that were not corrected within 30 days. The maximum annual cost of combined penalties is 1.5 million dollars.

The penalties for criminal OCR HIPAA violations range from $50,000 at minimum per violation, up to $250,000 per violation. Entities may also be required to make restitution to victims of the violation, and/or serve jail time. Accidental criminal violations resulting from negligence could lead to a jail term up to one year, while knowingly disclosing PHI for commercial or personal gain could lead up to a ten-year prison sentence.

What are common reasons for OCR audits?

Between April 2003 and March 31, 2023, the OCR levied a total $134,828,772.00 worth of fines in 130 cases. In 14,408 cases, the OCR determined that no violation had occurred, and in another 54,183 cases, the OCR intervened early, providing technical assistance and allowing covered entities and associated individuals to make corrections without the need for a full investigation. The compliance issues investigated most by the OCR, in order of frequency, include:

  1. Impermissible uses and disclosures of PHI
  2. Lack of PHI safeguards
  3. Lack of PHI patient access
  4. Lack of administrative safeguards of ePHI
  5. Use or disclosure of more than the minimum necessary PHI

These issues have most often been found in the following covered entities, in order of frequency:

  1. General hospitals
  2. Private practices and physicians
  3. Pharmacies
  4. Outpatient facilities
  5. Community Health Centers

As of July 2018, the HHS has investigated over 37,670 complaints, 69 percent of which have received corrective action.

How do you prepare for an OCR audit?

OCR audits are ongoing; while you may not be selected for a random audit, a breach or a patient complaint could very well put you in a position of interest. If selected for an audit, you will have just 10 days to respond to the OCR. This means that you should have controls in place now, so that you can confidently respond. Below are eight tips to prepare for an OCR audit:

Step #1: Conduct an OCR risk assessment

The Breach Notification Rule requires covered entities to conduct risk assessments to determine the probability of compromised health information. The main goal is to determine whether you need to report a PHI breach under law. The Office of the National Coordinator for Health Technology (ONC) and the OCR recently updated their Security Risk Assessment Tool to guide organizations through the compliance process.

Step #2: Document HIPAA policies and procedures

Your patient data is one of your most important assets. Without proper policies and procedures in place, employees and insider threats may do things to put PHI in jeopardy. Under HIPAA 164.316, organizations are required to implement “reasonable and appropriate policies, procedures, and standards.” Furthermore, organizations are required to document those policies and procedures to prove they’ve set boundaries and made expectations and standards transparent.

Step #3: Prepare an incident response plan

Crafting a quality incident response plan (IRP) will help you contain security incidents that would otherwise become breaches requiring regulatory involvement. The HIPAA Security Rule, requires covered entities to have IRPs. The HHS provides a free Incident Response Plan template to help organizations handle incidents with more agility. Once created, an IRP requires frequent evaluation and changes as the organization naturally evolves.

Step #4: Safeguard and protect all forms of PHI

Under HIPAA 164. 306, covered entities and business associates must ensure the confidentiality, integrity, and availability of all electronic PHI (ePHI); under HIPAA 164.312, access to electronic systems holding ePHI must allow access to those persons that have granted access rights.

Organizations must make sure to monitor all systems holding ePHI, including EHRs, cloud applications, and mobile devices. By monitoring with a full lifecycle platform, they can detect, investigate, mitigate, and remediate inappropriate activity to address incidents. This can also help organizations identify employees who need training, sanctioning, or retraining — and foster a culture of privacy and compliance that prevents future incidents from occurring.

Step #5: Identify unknown and poorly known users

In a sample of 1 million users by FairWarning (now Imprivata) in EHRs and cloud applications, 26% were found to be poorly known or unknown to the care provider. This means that these users are unable to be monitored and audited, making it difficult to train or sanction them in the event of a HIPAA violation. To help, organizations can improve compliance by protecting their EHRs and cloud applications with a security strategy centered on digital identity.

Step #6: Train your workforce

An organization’s greatest risk often lies with its workforce. In fact, 39% of healthcare breaches involve insiders. To make sure employees are fully absorbing the policies and regulations of their day-to-day work, training should be treated as an ongoing process, not a one-time event. Once you identify employees who need training through your monitoring program, you should clearly communicate expectations about your organization’s policies and procedures and train accordingly through an LMS program.

Step #7: Maintain an inventory of business associate agreements

It is imperative that organizations enter into business associate agreements (BAAs) with any vendors handling PHI. This helps ensure that both parties are held accountable for creating, receiving, or transmitting PHI in a secure and intended manner. If either party violates the BAA, they may face penalties from the HHS. Most importantly, find a vendor who takes the BAA very seriously. Any organization can sign one, but do they have the proper protocols in place to responsibly handle PHI? Ask questions and investigate to assess how secure their processes really are.

Step #8: Evidence your risk management plan

It’s important to have the policies and procedures in place to implement a privacy and compliance program that adheres to the final Breach Notification Rule. To do so, identify your high-risk assets and ensure your risk analysis of these assets is current. These should include both technical and non-technical assets that are business critical.

Be ready for your OCR audit

There are some other ways to prepare for an OCR audit that can easily be worked into your office routine. These include:

  • Keeping an updated list of all locations where physical or ePHI is located (databases, file cabinets, laptops, etc.)
  • Regularly performing comprehensive risk assessments
  • Keeping training up to date for all employees who access PHI, and keep records of training certificates
  • Keeping an inventory of all contracts, BAAs, and HIPAA-related policies and procedures.
  • Check out the HHS audit protocol for reference.

By proactively planning for an OCR HIPAA audit and implementing the HIPAA breach prevention best practices above, you can avoid hefty fines and penalties. But most importantly, a proactive privacy and compliance program will lay the foundation for your organization to build upon as technology adoption increases. In doing so, you can focus on improving patient care and fostering trust between patient and provider.

Discover more in our whitepaper, Close gaps in your privacy, compliance, and trust with artificial intelligence and machine learning.