Tuesday, July 26, 2016

OCR's Top 7 Areas of Focus During Phase Two Audits

Areas of improvement to focus on within your office.

During phase 2 of the Office for Civil Rights (OCR) HIPAA audits, they have decided to focus their attention on seven areas of compliance. These specific areas were chosen due to their history of non-compliance during multiple audits in the past. This is not to say that OCR will not investigate other areas, but their main focus will be on these specific requirements:

  • Under the HIPAA Privacy Rule
    • Notice of Privacy Practice and consent requirements
    • Provision of notice - electronic notice (NPP acknowledgement in electronic format)
    • Right to access (Patients right to access their PHI)
  • Under the HIPAA Security Rule
    • Security management process - risk analysis (Documented and completed internal risk analysis)
    • Security management process - risk management (Documented policies and procedures that prevent, detect, contain, and correct security violations)
  • Under the Breach Notification Rule
    • Timeliness of notification (Notification of breach given to individual and OCR within required specifications)
    • Content of notification (Notification of breach contains all of the required information as specified by OCR)
These are important areas of compliance that have been neglected or out right ignored by healthcare organizations. If you have not done so, get these areas of compliance in order within your organization.

For information on how to prepare for OCR's Phase 2 HIPAA audits go to:

To subscribe to this blog, enter your email address:

Delivered by FeedBurner