OCR Audits Revisited


The first thing you must understand about OCR audits going forward is that they are going to increase in number significantly. There are two strong evidentiary foundations for this: (1) under the proposed Privacy Rule of 2021 patients are provided with enhanced access to their PHI including the following three enhancements, which are the ones that we consider the most disruptive and insidious:

  1. The right to inspect at the time of appointment (“TOA”) and the point of care (“POC”) enables patients to enter your facility "to view, create videos, take photographs and use other resources;”
  2. The right to enter your facility to inspect at a “convenient place and time” (“CP&T”) (e.g., OCR uses the example of a medical records facility) to perform the same actions described above;
  3. Reduced time to provide patients access to their PHI (i.e., like the old Rule) except the amount of time was cut in half from thirty (30) to fifteen (15) calendar days, with the extension remaining intact; and

you can rest assured that patients who are not satisfied with access to your facilities (e.g., either because of time allocated or any other reasons) are going to complain to OCR; any complaint wherein OCR finds “willful neglect” on its face (e.g., denial of access to the facility) mandates and audit by OCR under HITECH Act §13410 (“Improved Enforcement”); (2) HHS has finally gotten around to requesting comments for the proposed methodology for patients to share in the CMPs levied against covered entities and business associates (collectively “Stakeholders”), which is mandated under §13410(c)(2). OK, they are 12 years late, but hey, this is the U.S. government we are talking about.

Once patients learn that there are financial incentives available for filing complaints with OCR then, of course, more complaints are certain to follow. Granted, many of these may be bogus and not show either “willful neglect” or any other violation, in which case they will end up in the OCR “bit bucket.” However, the proposed Privacy Rule turns front office staff into liability generating machines and many of these complaints will indeed show “willful neglect” on its face (review the resources section for additional information on the proposed Privacy Rule).

Difference Between 2012 and 2018 Audit Protocols

You should also understand that the 2018 OCR Audit Protocol is significantly more rigorous than what was proposed in 2012. Compare the two below:

OCR’s 2012 Protocol indicated they wanted to accomplish the following for each rule:

Security Rule

  • conduct risk assessments,
  • develop and deploy an information system activity review process,
  • select a security official, and
  • evaluate existing security measures related to access controls.

Privacy Rule

  • obtain a valid authorization for the use or disclosure of PHI,
  • disclose PHI for health oversight activities,
  • comply with minimum necessary requirements for uses and disclosures of PHI, and
  • account for disclosures of PHI.

Breach Notification Rule

  • conduct a risk assessment of a breach,
  • provide a breach notification to individuals in a timely manner, and
  • when appropriate, issue a breach notification to the media and the HHS Secretary.

OCR’s 2018 Protocol

The Phase 2 HIPAA Audit Program reviews the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. The analysis is conducted using a comprehensive audit protocol, updated to reflect the Omnibus Final Rule. The audit protocol is organized by Rule and regulatory provision and separately addresses the elements of privacy, security, and breach notification. The audits performed assess entity compliance with selected requirements and may vary based on the type of covered entity or business associate selected for review. [Emphasis Added]

  1. Management refers to the appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies, procedures, and other standards;
  2. Entities must provide only the specific requested documents, not compendiums of all entity policies and procedures (i.e., commentary: forget anachronistic “audit books”). The auditor will not search for relevant documentation that may be contained within such compilations;
  3. Unless otherwise specified, all document requests are for versions in use as of the date of the audit notification and document request;
  4. Unless otherwise specified, selected entities should submit documents via OCR's secure online web portal in PDF, MS Word or MS Excel formats;
  5. If the requested number of document(s) are not available, the entity must provide instances from equivalent prior time periods to complete the sample. If no documentation is available, the entity must provide a statement to that effect;
  6. Workforce members include entity employees, on-site contractors, students, and volunteers; and,
  7. Information systems include hardware, software, information, data, applications, communications, and people.

Beyond Risk Assessments

Comparing the protocols above, and remembering our lived experience at the time, the entire focus was on producing a Risk Assessment. Of course, that’s what everyone, including vendors, spent their time doing or for marketing software. However, it was obvious almost right away, that a Risk Assessment was nothing more than an analytical step. Yes, it was also a foundational analytical step, you couldn’t proceed without it (i.e., with respect to Security Rule compliance) but an exhaustive Risk Assessment did not remediate anything. It just identified what needed to be remediated. There was no requirement that taking an agile approach of assessing 10-20 high priority risks, and then begin remediating those, was not a viable approach. So that’s when we began advising our clients and we made the claim that using Expresso® a Risk Assessment could be done in three hours or less. Of course, our competitors claimed that was “snake oil,” but they had categorically misread that an agile approach has always been built into NIST best practices for conducting assessments. Unfortunately, some of our competitors are “still stuck on stupid” in this regard.

So, the takeaway here is that if you get audited, producing exhaustive assessments without remediation that meets the requirements of the Compliance Equation® are not going to be of any use to you. In fact, they will send OCR the opposite message, and that will certainly not inure to your benefit.


Expect a lot more OCR audits going forward. Expect them to be more rigorous looking for process results rather than analysis. We are long past the time where analysis will suffice. Further, because of the disruptive nature of the proposed Privacy Rule, and patients perhaps soon becoming financially incentivized to file complaints, what you should expect is a game changer in the way the HIPAA Rules are enforced.