It's one thing to know which hot buttons can trigger a visit from OCR. But according to Mahmood Sher-Jan, vice president of product management at ID Experts, and Chris Apgar, president and CEO at Apgar & Associates, organizations should also know what to expect if they're chosen to undergo an audit -- and know how to prepare for one.

1. 6 things to know about an OCR/HIPAA audit
It's one thing to know which hot buttons can trigger a visit from OCR. But according to Mahmood Sher-
Jan, vice president of product management at ID Experts, and Chris Apgar, president and CEO at Apgar &
Associates, organizations should also know what to expect if they're chosen to undergo an audit -- and
know how to prepare for one.
Apgar and Sher-Jan outline six things to know about an OCR/HIPAA audit.
1. If everything is in order, look at an audit or investigation as an opportunity. Apgar, who's recently
been conducting training sessions, said an investigation could be looked upon as an opportunity to gain
feedback on your privacy and security efforts – presuming you have everything in place. "If you're
selected and you've completed your risk analysis, you have policies and procedures implemented, and
you can show you're making a good-faith effort, look at it as an opportunity for someone to come in,
externally, and help your compliance efforts." He said OCR still intends to "live up to the sport of the
enforcement rule," which is informal enforcement, and unless you cross the line into willful neglect,
OCR "still wants to work with organizations," said Apgar.
2. Understand the culture of compliance. "There are some specific areas [where] OCR has been
wandering around the country and preaching the culture of compliance," said Apgar. This has been
happening for the past year and a half and includes policy awareness, training programs, and discussions
around incident response and risk analysis. "Those are the areas they're preaching, and the new head of
the Office of Civil Rights even highlighted risk analysis in his testimony before Congress," he added.
[See also: HIPAA – An opportunity for continuum of care.]
3. Ignorance isn't bliss – it's willful neglect. In training sessions, Apgar said he highlights what exactly
willful neglect entails. It's "knowing you're in violation," or that "you should have known," he said.
"Ignorance is not bliss. I asked the question [in a training session], how many people in the room
conducted a risk analysis in the last year, and less than a third of their hands went up." That number,
Apgar said, was actually more than he's seen in the past, but, essentially, if you haven't conducted a risk
analysis by now, you're in trouble. "[It's] been required since April 2005 and is the first requirement in
the Administrative Safeguard section of the Rule," said Apgar. "You can't beg ignorance because you
should have known, and therefore, you're guilty of willful neglect." Not to mention, he added, if you
haven't conducted a risk analysis, there is a higher likelihood of finding yourself in trouble with OCR and
not getting meaningful use dollars. "It's a two-edge sword type of problem," he said.
4. There's overlap between undergoing an investigation and undergoing an audit. Sher-Jan referenced
an incident at the UCLA Health System and a recent incident at Phoenix Cardiac Surgery to help prove
his point. "One of the big things that got UCLA in trouble is they couldn't provide proof of training
around privacy and security," he said. "Just to point out, there is a lot of overlap whether you're audited
or investigated." Looking at the PCS resolution agreement, he said, the organization was called out on a
number of different things and were "in complete ignorance of the privacy and compliance rules," he
said. "And that's something to point out [about] UCLA as well," he said. "They didn't have a security
official identified, they didn't have a risk analysis, so I'd imagine there were a number of these

2. safeguards that weren't in place." Whether you're being investigated or audited, he continued, there's
significant overlap in terms of where OCR looks, "and the more they see you're not in compliance, the
more they will dig and the more they will find," he said.
[See also: HIPAA 5010 deadline stays with bit of leniency.]
5. It's all about clean, clear documentation. "One of the things about auditors that makes them happy is
good, complete documentation upfront," said Apgar. Having good documentation, he said, will also
make them less likely to want to "look under the rug … If you don't have that, they'll get suspicious and
turn a little nastier." From a bottom line perspective, said Apgar, organizations should expect a letter
from OCR, requesting information within 10 business days. "And that's 10 days since the letter was sent,
not 10 days since you receive it," he said. "If you're the CEO, it takes a while for the letter to percolate
down, so now you're way behind the 8 ball." Therefore, it's key to have documentation prepared ahead
of time, paying attention to programs, policies, procedures, incident response plans and risk analysis.
"That all needs to be centralized, so you can quickly grab it and make it available to the auditors," said
Apgar.
6. Know auditors can look at anything and everything. The last thing that's important to know, said
Apgar, is whether the auditor can look or review patient information. "And the answer is yes, they can
because they're working on behalf of the OCR and are in contract with them," he said. "Under the HIPAA
regulation, if the secretary, meaning OCR, is investigating or auditing, then they have the right to see
anything and everything." In the end, said Apgar, if you're information is up-to-date and in-line with
HIPAA rules, you're good to go. "It needs to be current, accurate, complete and not only implemented,
but enforceable," he said.
--------
Source: http://www.healthcareitnews.com/news/6-things-know-about-ocrhipaa-audit
This is what we feel:
“More than compliance, look at ‘Audit’ as a self-checking mechanism”, remarks Dr. Charu Chitalia –
Director Operations, Acroseas Global Solutions. One needs to be compliant at all times, due to which
one needs to install an internal control system that institutes efficient check points at different levels
that corrects the inefficiencies from time to time.