• How The ORC’s Audit Program Crashed a Cocktail Party?

  • Last month I was in The Emerald City- (Seattle, Washington) attending to business, renewing old friendships and taking in the beautiful sights-of a place I once called home.

    During a social gathering, I introduced myself to a Covered Entity, who then proceeded to confess to me that the nonprofit which he holds the combined role of Privacy and Security Officer, was chosen for the Phase 2 HIPAA Audit Program being conducted by The Office for Civil Rights (OCR). He had received an email notification a week or so earlier from the OCR.

    How fortunate is this? This is like winning the Lotto in compliance- to be able to ask questions of a covered entity who was actually chosen for the Phase 2 Audit. As a compliance geek, I wanted to learn more, know more, so I started to ask questions. 

    But, before I share with you my question and the answer session, I want to remind the readers of the stated purpose for the audits, as it reads from the OCR website for the Phase 2 Audits:

    “<The>OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.”


    Judi: When did you get the email?

    Covered Entity: A couple of weeks ago, I just haven’t had time to get to it. 

    Judi: I have been reading that the OCR has been encouraging those selected to get the information into them. I believe they said 10 days. (I said to myself, Oh My Gosh)

    Covered Entity: They are asking about our Business Associates (BA).

    Judi: Do you maintain all of your agreements in a repository with an excel spreadsheet. (Blank Stare from Covered Entity). I am sure you have your Business Associates Agreements (BAA) updated. (Me nodding, hoping the statement is correct)

    Covered Entity: Sure, after the HITECH Act.

    Judi: There were some significant changes with the Final Rule with the relationship of a BA and the BAA. The Final Rule made a number of changes to the required terms and conditions of a BAA, which requires Covered Entities, BA’s and subcontractors to update existing BAA’s.

    Covered Entity: (Sips his cocktail, rather, he chugs the remainder of his cocktail.)

    Judi: Do you require your BA’s to provide you with their Annual Risk Assessment?

    Covered Entity: (Shakes his head no, while going for another cocktail and some appetizers.)

    Judi: I am not sure that you knew, I am in the middle of publishing my comprehensive HIPAA Compliance Guide. Over 150 customizable policies and procedures, required forms, logs, audits, 22 Chapters containing 100 pages of updated narrative pertaining to HIPAA and the changes with The Final Rule. Let me give you my business card.

    Covered Entity: Oh, I have a manual, I wrote it.

    Judi: That’s wonderful. Good luck with your Audit. Since you have my card, please feel free to reach out to me, should you need some guidance or a consultant. I frequent the Seattle area often.

    Judith is an accredited Certified HIPAA Professional (CHP). As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies and procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance, subscribe to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult