Handling Multiple Requests From OCR Audit Program

May 25, 2016 David Holtzman

Last week OCR reported that it had faced challenges in identifying and selecting a diverse pool of organizations to participate in the Phase 2 HIPAA Audit Program. In an effort to expand the roster of covered entity candidates, OCR sent up to 10,000 emails to prospective covered entities in a single “e-mail blast” asking for recipients to confirm if the recipient was associated with an organization that was a HIPAA covered entity, and to provide the contact information for appropriate HIPAA privacy and security officials. To make sure that your email system did not reroute or recognize this communication, we recommend looking in your “spam” folder for messages sent from [OSOCRAUDIT@HHS.GOV].

We have learned that some organizations or health systems have received 25 or more inquiries from OCR, where each one was addressed to a separate covered entity component that is part of an organization’s network of facilities or business units. Each email requests a response to supply contact information even though it is the same for each of these organizations that are a part of a network.

Many organizations receiving multiple requests from OCR have a centralized structure in which a single health information privacy or information security official is responsible for compliance governance to each of the components in the organization.

I contacted OCR to ask would if it be possible to supply one response that would satisfy the multiple requests that could be received by a central compliance official. OCR replied with the following guidance:

“Each CE that received a notice should attest to the information being correct that we have on file for them. If the same entity has received multiple notices, then only one response is needed. In many instances, though, the CE address differs, thus we would need a verification for each.”

In many large health systems, each of their components exists as a separate covered entity although they may have structured themselves to be a part of an OHCA or an ACE. If this is the case with how a health system or network is structured, it will be necessary to respond to each request individually on behalf of each covered entity. If in fact an organization (or perhaps some part of its components) are a single covered entity, only one response is required and the other sister campuses or business units can be listed in the reply.

If you would like to learn more about CynergisTek’s mock audit services or additional ways to prepare for the HIPAA audit program, email us at info@cynergistek.com.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Article
Insider Threats
Insider Threats

Our infographic highlights types of insider threats with stats on insider breaches, OCR settlements and sec...

Next Article
OCR Updates: Audit Program Falls Behind Schedule & Ransomware Attacks
OCR Updates: Audit Program Falls Behind Schedule & Ransomware Attacks

Audit Updates Deven McGraw, Deputy Director for Health Information Privacy for the Office for Civil Rights,...