OCR Announces the Results from it's Pilot Audit and it's Plans For Next Year


The Office of Civil Rights Audit Pilot Program has come to an end with 115 audits, primarily in person, having been completed. The Pilot Program had multiple revelations in privacy, some of which were probably, not so surprising. Of the primary issues discovered the following were top concerns to OCR:

  • Failure of the covered entity to provide an accurate Notice of Policy Practices to its patients;
  • Failure by the covered entity to grant individual access to records in a timely and appropriate fashion;
  • Failure of the covered entity to comply with the minimum necessary standards; and
  • Failure to obtain appropriate authorizations

In the Security area the concerns were those that we frequently see from CMS, OCR and others including:

  • Failure by the covered entity to complete a risk analysis,
  • Failure to properly store or dispose of media, including inventory failure;
  • Failure to have appropriate audit controls; and
  • Failure of general monitoring such as occurred in Idaho State when it took down the system for general maintenance and when it put it back up, failed to put the firewall or any security processes in place for over 10 months.

The Pilot Program didn’t reveal anything new or unusual. In terms of what we might expect based on the prior corrective action plans and more than 22,000 complaints which OCR has dealt with in regard to HIPAA violations and problems. The mistakes seem consistent. OCR is starting to develop the idea however, that we have been warned - act accordingly.  

OCR has now announced the implementation of its indicated regular Audit Program. This will be handled and managed by OCR staff itself rather than outsourcing. The Pilot Program was outsourced to KPMG who handled the work of the audits providing the audit documentation to OCR for review. OCR staff will conduct all new audits and anticipates beginning the audit process for 350 covered entities in October of 2014 and continuing through June of 2015. OCR will then select approximately 50 Business Associates in 2015 for a similar audit process. It is anticipated that the audits themselves will, for the most part, be desk audits, where policies, protocols, documentation, audit logs and similar items are requested and then reviewed by OCR staff without an on sight review and visit. OCR has also indicated that it will post on its website its updated audit protocol before the program begins so that covered entities may use this to prepare for internal compliance as well as the audit program itself. It can be anticipated however that any ongoing audit program will focus on those areas of concern, such as inventory, media control, encryption and similar items which have consistently been identified as problems across the board for all previously audit covered entities and which crop up consistently in generalized HIPAA complaints and corrective action plans.

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Brown Law Firm | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.