The OCR audit documentation request list


In our last discussion, we talked through how to get the audit process off to the right start and set the tone by giving attention to general readiness. We also talked about the first requirement that is conveyed during OCR audits: the request for documentation. 

So this time, let’s take a look at that list, which is quite long and very detailed in its requirements. This information is important because, not only does it inform the audit team about your programs, but it also informs their audit plans for you.

Obvious omissions will absolutely signal areas to be assessed. Other areas that will catch their attention are the currency of assessments, plans, audits, etc., as this is all information that should be fairly current if it reflects an active program. For instance, a risk assessment performed more than two years ago may signal that risks are not regularly assessed or managed. A risk assessment that identifies a lack of encryption as a risk -- but with no encryption policy present -- can signal that perhaps the risk assessment does not inform the selection or application of security controls. The audit team will glean a lot of information and impressions from the documentation they are provided well before coming on site.

At the bottom of this post is the list that was sent to at least two of the first 20 recipients of the OCR audits. Keep in mind that the audit protocols, and supporting documentation like this list, are still subject to review and revision by OCR. In fact, OCR hopes to have all information regarding the audits published to the general public before the end of the year. That said, you can still use this list as a way to measure your readiness to produce this information if tagged with one of these audits. Questions to ask yourself as you go through the list:

  • Do we have all of these documents?
  • Are they current, and do they reflect practices?
  • Can we easily collect and provide this information?
  • Do we have documentation to support policies/plans?

Many organizations have struggled with this list. Hopefully having it ahead of time will give you a chance to improve that experience. As a reminder, this is important not only for these random audits, but also should you ever find yourself in a position as the Phoenix Cardiac Surgery practice did responding to a complaint regarding the public posting of patient information. That practice received a $100,000 fine from OCR arising from that complaint.

What you might not know is that they did not receive the fine because of the complaint alone.  When OCR arrived to investigate the breach, they discovered that this was just the tip of the iceberg, so to speak. The practice had not conducted a risk analysis, did not have policies and procedures documented and training was found to be inadequate. The fine was more a reflection of overall lack of readiness than the issue from the complaint. 

The new director of OCR, Leon Rodriguez, in his interview after the event stated that organizations large and small should take heed of the message from this enforcement action; regardless of why they arrive at your location, they will address what they see. 

Here is the list:

Add new comment