When can the OCR Audit You?

OCR auditor reviewing policies and procedures.

If you are wondering just when can the OCR audit your covered entity or business associate organization, you may conclude “any time it darn well wants to”. Well, that’s an oversimplification, but not by much. Let’s review the circumstances where the Office for Civil Rights (OCR) of the Health and Human Services Department can audit your organization.

In this Article …


OCR’s HIPAA Audit Program

In 2012, OCR announced a pilot audit program for covered entities and business associates. The audit was conducted in two phases, and included desk and onsite audits. In Phase 1, which was a pilot program, the OCR conducted comprehensive on-site audits of the documentation and implementation activities of a sample of covered entities and business associates.

The overall results of the HIPAA audits according to the OCR: “Privacy challenges are widely dispersed throughout the protocol – no clear trends by entity type or size”. One finding that continues to this day is the lack of security risk analysis by all kinds of covered entities and business associates.

The Phase 1 HIPAA audit program was followed by Phase 2 a few years later. The results of this effort in 2016-2017 were released in December 2020. In the final audit report of Phase 2, the OCR summarized its findings of audits of 166 covered entities and 41 business associates. The good news included:

  • Most covered entities met the timeliness requirements for providing breach notifications to individuals.
  • Most covered entities that maintained websites had posted their Notice of Privacy Practices (NPP).

But there was bad news, too:

  • Most covered entities did not adequately safeguard protected health information (PHI).
  • Many did not make PHI available to individuals under the right of access under HIPAA.
  • Many covered entities and business associates did not provide appropriate content in their NPP.
  • Most covered entities and business associates failed to implement the HIPAA Security Rule requirements for a HIPAA Risk analysis and risk management plan.

OCR has yet to repeat this audit program, possibly due to the volume of breach notification reports it is dealing with. There have been over 5,300 reports of unauthorized disclosures of 500 or more records at one time since 2009. In the early years, most incidents were due to stolen or lost computers/laptops. Now the overwhelming method of a HIPAA breach is hacking or IT Incident.

What is an OCR Compliance Audit?

Even though the OCR is not doing the types of HIPAA compliance audits it did in the mid-2010s, it is still doing plenty of HIPAA audits. In addition to the HIPAA audits triggered by reports of unauthorized disclosures of 500 or more records, OCR will conduct a HIPAA compliance audit based on patient complaints.

OCR Patient Complaint Process

Responding to patient complaints is part of the OCR Privacy Rule and Security Rule enforcement process. OCR enforces the Privacy and Security Rules in several ways:

  • by investigating complaints filed with it,
  • conducting HIPAA compliance reviews to determine if covered entities are in compliance, and
  • performing education and outreach to foster compliance with the Rules’ requirements.

OCR also works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA.

OCR may only take action on certain complaints. OCR does not investigate complaints about incidents more than 6 years ago, or if the organization is not a covered entity or a business associate. An incident also has to be reported within 180 days of the occurrence and must be a potential violation of HIPAA regulations.

If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint.

OCR may request specific information from each to get an understanding of the facts. The OCR will typically send a document request letter, asking for policies and procedures and other information on how the covered entity handled the patient inquiry. Covered entities and business associates are required by law to cooperate with complaint investigations.

If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), OCR may refer the complaint to the Department of Justice for investigation.

OCR reviews the information, or evidence, that it gathers in each case. In some cases, it may determine that the covered entity did not violate the requirements of the Privacy or Security Rule. If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining:

  • Voluntary compliance;
  • Corrective action; and/or
  • Resolution agreement.

Most Privacy and Security Rule investigations are concluded to the satisfaction of OCR through these types of resolutions. Sometimes the OCR concludes its investigation of a HIPAA violation by writing a letter to the covered entity or business associate simply reminding it of the provisions of HIPAA rules it must comply with. The OCR also sends an OCR notification letter to the person who filed the complaint.

If the covered entity does not take action to resolve the matter in a way that is satisfactory, or fails to submit the requested information, OCR may decide to impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing in which an HHS administrative law judge decides if the penalties are supported by the evidence in the case.

Complainants do not receive a portion of CMPs collected from covered entities; the penalties are deposited in the U.S. Treasury. These settlements often take place years after the HIPAA audit.

What if the OCR is conducting onsite audits of your HIPAA Privacy and Security program?

OCR’s ongoing complaint investigations often result in onsite audits. Onsite OCR audits may also be triggered by a security and breach notification in the annual report of unauthorized disclosures by covered entities and business associates. But during an onsite audit, the audit process will include a compliance review of all of the applicable HIPAA Privacy, Security and Breach Notification rules. This is because the OCR expects covered entities and business associates to be in compliance with all these regulations.

The audited entity can expect the OCR to review documentation of its:

  • Privacy and Security and breach notification procedures,
  • its HIPAA training for staff members,
  • its business associate agreements, and
  • the results of its previous HIPAA risk assessment.

If you have been notified of an audit by the OCR, download the audit protocol the OCR will use during the audit. It is exhaustive (and exhausting!) but it covers everything that you will face in a HIPAA compliance audit.

What should you do now?

Well, one thing to do immediately is to conduct a self-HIPPA audit to gauge your readiness for the real thing. These periodic audits go a long way in shoring up your compliance efforts.

Are you conducting regular risk assessments? The first step to ensuring compliance is performing a regular risk analysis. By identifying your vulnerabilities, you can stop common HIPAA violations before they happen.
What are your policies and procedures, and can you describe how you implement them? Your reasonable and appropriate policies and procedures will be unique and based on your company culture. Auditors will want documentation and records showing that you have properly communicated implemented policies and procedures to your staff.
Do you have up-to-date training programs and manuals for employees? When your practices update, you must also update your training manuals. For example, the pandemic created an increase in remote work. Your staff should be fully trained to keep ePHI secure when working from home.
Do you have Business Associate Agreements for every vendor with whom you share ePHI? Periodically review your vendors and Business Associate agreements to be sure they are up-to-date and relevant.
Are you keeping well-organized documentation? Document everything. Your thorough records can offer proof of your strong efforts to maintain HIPAA compliance. This is especially important to show compliance with the HIPAA Breach Notification Rule.
Are you keeping track of ePHI? You most likely are aware of ePHI in your main databases and programs, but are you aware of every spreadsheet, file transfer, or mobile device that may contain patient data? You can use technological tools to scan your entire network to locate any ePHI that may be hidden.
Are you prepared to respond to incidents of noncompliance? It’s best to have your plan in place for disclosing a breach before it happens. Hopefully, you will never need it, but if you do, you will already have the policies and procedures that will enable you to disclose the proper information within the required timeframe to meet HIPAA requirements.
How are you monitoring mobile devices? With new technologies and the need for remote work during the pandemic, more organizations are using mobile devices outside of the healthcare organization. Is your mobile data encrypted? Have you trained your staff on how to keep it secure from unauthorized breaches or security hacks? Is your Information Security Officer constantly reviewing the need for new or enhanced security measures and/or health information technology?
Are you monitoring recent trends in common HIPAA violations? In the past few years, the OCR has received many complaints from patients about unfulfilled requests for medical records. The OCR expects HIPAA-covered entities to respond within the 30-day time frame specified in the HIPAA law for responding to such requests. Fines large and small have been levied on covered entities who fail to release medical records timely.


The list of healthcare organizations that have had OCR HIPAA compliance audits is replete with mentions of organizations that were found not HIPAA compliant in many areas. Many of these HIPAA audit findings were unrelated to the initial HIPAA complaint or potential HIPAA violations the OCR came to investigate. So learn all you can from the mistakes of others, and remember, the price of HIPAA compliance is eternal vigilance!

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.