Request Demo

Please complete the form and we'll get in touch to schedule a demonstration.

* Required field

  • Demonstration Scheduling

    Please indicate two dates and time blocks below and a representative will contact you to schedule your personal demonstration.

Healthcare Compliance Weekly eUpdates

Please complete the form to start receiving complimentary and timely updates about compliance.

* Required field

Contact Us

Toll Free: 1-888-54-FIRST
Phone: 302-416-4329
Fax: 302-416-4330
E-mail: info@1sthcc.com

Use the form below to get in touch with us.

* Required field

Did You Receive an OCR Notice for the Phase 2 Audit? What’s Next?

Home/OCR/Did You Receive an OCR Notice for the Phase 2 Audit? What’s Next?

Now that OCR has officially started the Phase 2 HIPAA Audit Program, are you adequately prepared to be an auditee? OCR is currently compiling its pools of potential auditees that will be selected at random for auditing purposes. Many healthcare providers have already received this OCR notice requesting verification of contact information which must be responded to within 14 days. While this notice does not necessarily indicate that the provider will be audited, the provider will be entered into the pool of potential auditees. In conducting its data gathering efforts, OCR will also request completion of an Audit Pre-Screening Questionnaire to gather information on the size, type, and operations of potential auditees, which can be viewed on the HHS website.

Time is of the essence when it comes to preparedness as providers will have limited time to respond to… Click To Tweet

1st Round- Desk Audits

The first round of audits will be in the form of desk audits, which is scheduled to be completed by December 2016. These desk audits will be completed in two sets, with the first set focused on covered entities and the second set focused on business associates. Selected auditees will receive email notification from OCR along with an initial request for documentation and data. Auditees will only have 10 business days to respond to the request by submitting the requested information via OCR’s new secure online portal. Providers will be required to identify and provide detailed information on each of its business associates. And depending on the findings of the desk audit, auditees may be subject to a subsequent onsite audit. Upon completion of the desk audit, OCR will prepare and share its draft findings. Auditees are granted 10 business days to respond to the draft findings with any written comments, and OCR will then issue a final audit report within 30 days.

 

2nd Round- Onsite Audits

The second round of audits will be conducted in the form of onsite visits, which will encompass a more comprehensive examination compared to that of the desk audit. Selected auditees will receive email notification from OCR. The on-site audit starts with an entrance conference that will review the audit process, followed by the actual audit that can last from three to five days.

Auditees selected for the onsite audit will have the same amount of time to review the OCR’s draft findings as mentioned above before a final audit report is issued. OCR may ensue a compliance review if it uncovers serious compliance issues during this audit.  

 

OCR’s Revised Audit Protocol

Last month, OCR revised its Audit Protocol to incorporate requirements from the HIPAA Omnibus Final Rule of 2013. This protocol will be used by its auditors in conducting the Phase 2 audits and serves as guidance on areas a potential audit may focus on and can be used as a risk assessment tool to evaluate a provider’s current compliance program.

Preparation is key to successfully surviving the audit and continuing with the main goal of providing… Click To Tweet

Prepare As If You Are Going to Be Audited!

Preparation is key to successfully surviving the audit and continuing with the main goal of providing high quality patient care. Providers should be adequately prepared to participate in Phase 2 by (i) reviewing updating and enforcing internal policies and procedures relevant to HIPAA Privacy, Security, and Breach Notification Rules; (ii) having documentation of compliance efforts readily available; (iii) reviewing OCR’s updated Audit Protocol; and (iv) preparing staff in the event of an audit. Time is of the essence when it comes to preparedness as providers will have limited time to respond to OCR’s audit requests once identified as an auditee. Moreover, providers can expect to be the target of a separate compliance review if violations are uncovered during an audit. This is especially true since the Office of Inspector General issued its September 2015 report criticizing the OCR’s oversight efforts over covered entities, as mentioned in our previous blog post, Are You Prepared for the HIPAA Phase 2 Audits?.

By |June 16th, 2016|OCR|

Leave A Comment