Are you prepared for an OCR Investigation?

The Office for Civil Rights (OCR) conducts investigations on healthcare organizations to ensure full compliance with the requirements and implementation specifications of HIPAA Privacy, Security and Breach Notification Rules.

Every Covered Entity and Business Associate is investigation eligible. The primary objective is to assess compliance of the HIPAA regulated industry while focusing on selected specifications of HIPAA Privacy, Security, and Breach Notification Rules. OCR looks to discover industry-common vulnerabilities that remain undetected during routine OCR complaint investigations and compliance reviews, and intends to use these findings in developing new breach prevention strategies.  OCR ultimately uses investigation findings to determine their ongoing enforcement initiatives and monitoring compliance activities.

OCR’s investigation protocol encompasses requirements and implementation specifications from HIPAA Privacy, Security and Breach Notification Rules.   Included in the protocol are:

  • 89 Privacy requirements;
  • 72 Security requirements; and
  • 19 Breach Reporting requirements.

Based on the type of Covered Entity or Business Associate selected for audit, OCR will identify a subset of topics to be audited from among these 180 audit items.

You need to make sure your organization is audit-ready.

Here’s Your Next Step…

How Can We Help?