Am I prepared for an OCR Audit?

The Office for Civil Rights (OCR) conducts audits on healthcare organizations to ensure full compliance with the requirements and implementation specifications of HIPAA Privacy, Security and Breach Notification Rules.

Every Covered Entity and Business Associate is eligible for an audit. The primary audit objective is to assess compliance of the HIPAA regulated industry, with a focus on selected specifications of HIPAA Privacy, Security, and Breach Notification Rules. OCR also hopes to discover industry-common vulnerabilities that remain undetected during routine OCR complaint investigations and compliance reviews, and use these findings to develop new breach prevention strategies.  OCR will ultimately use audit findings to determine where to focus ongoing enforcement initiatives.

OCR’s audit protocol encompasses requirements and implementation specifications from HIPAA Privacy, Security and Breach Notification Rules.   Included in the protocol are 89 Privacy requirements, 72 Security requirements and 19 Breach Reporting requirements. Based on the type of Covered Entity or Business Associate selected for audit, OCR will identify a subset of topics to be audited from among these 180 audit items.

Let BlueOrange Compliance help your organization become audit-ready.

How Can We Help?