Stay Calm — This Is Manageable
Receiving an audit notice from HHS's Office for Civil Rights (OCR) is serious, but it does not mean you've done something wrong. OCR conducts both complaint-driven investigations and random desk audits as part of its oversight program. Your response in the next 24-72 hours will set the tone for the entire audit process.
Step 1: Understand the Type of Audit or Investigation
OCR contacts come in several forms:
- Desk Audit: A document review conducted remotely. OCR sends a list of requested documents and you submit them electronically. These are often part of OCR's periodic audit program and don't necessarily stem from a complaint.
- Complaint Investigation: Triggered by a complaint filed by a patient, employee, or other party. OCR will typically describe the nature of the complaint in the notice.
- Compliance Review: Can be initiated based on information OCR received, including media reports of breaches. Often triggered by large breach reports (500+ individuals).
- On-Site Investigation: More rare; typically occurs when a serious complaint or breach requires in-person review.
Read the notice carefully to understand what type of contact this is and what exactly OCR is asking for.
Step 2: Engage Legal Counsel Immediately
Before responding to OCR, engage an attorney experienced in HIPAA and healthcare regulatory matters. This is not optional — even if you believe your compliance is solid:
- An attorney can help you frame responses to avoid inadvertently providing information that expands the scope of the investigation
- Responses to OCR can be made under attorney-client privilege in some circumstances
- Legal counsel can negotiate timelines, represent you in discussions, and advise on Resolution Agreements if penalties are proposed
Step 3: Gather Your Documentation
OCR will typically request evidence of your compliance program. Begin gathering:
- Security Risk Analysis (SRA) — Your most recent completed SRA, with date
- Policies and Procedures — All HIPAA-required policies, with evidence they are current and have been reviewed
- Training Records — Evidence that all workforce members have received HIPAA training
- Business Associate Agreements — Executed BAAs for all vendors who handle PHI
- Incident/Breach Logs — Record of all incidents investigated and any breach notifications sent
- Audit Logs — System audit logs demonstrating access controls are in place
- Sanction Policy — Evidence you have and enforce a policy for workforce violations
- Notice of Privacy Practices — Current NPP posted and provided to patients
Step 4: Review Your Compliance Status in the Portal
Use your compliance portal to assess where you stand:
- Is your SRA current (completed within the last 12 months)?
- Are all policies reviewed and updated?
- Do you have complete training records for all employees?
- Are all your BAAs executed and on file?
- Have all identified gaps from previous assessments been addressed?
Identify any gaps now so you can address them before submitting documentation, or be prepared to explain them with a remediation plan.
Step 5: What OCR Will Look For
OCR's audit protocols focus on specific HIPAA requirements. The areas most commonly reviewed include:
- Security Risk Analysis — completion, comprehensiveness, and whether risks were acted upon
- Access controls — who has access to PHI and whether it's appropriately limited
- Workforce training — evidence of regular, documented training
- Business Associate Agreements — existence and adequacy for all BAs
- Breach notification compliance — proper documentation and timely notification
- Patient rights — processes for handling access requests and complaints
Response Timeline
OCR notices typically specify a response deadline — commonly 10-30 days for document production. Do not miss this deadline. If you need more time, contact OCR promptly (through legal counsel) to request an extension before the deadline passes. OCR will generally grant reasonable extension requests.