John DiMaggio

If you are a skilled nursing provider, the Office for Civil Rights may have you in its crosshairs. OCR is currently conducting HIPAA audits that target all types of healthcare organizations. In fact, OCR has promised that the audit pool will represent a diverse sample of organizational types and sizes, indicating skilled nursing providers should expect to be well represented in this initiative.  

The audits began in March, and are expected to conclude by year’s end. OCR’s primary focus is to assess compliance of the HIPAA regulated industry, with a focus on selected specifications of HIPAA Privacy, Security, and Breach Notification Rules.  

OCR also hopes to discover industry-common vulnerabilities that remain undetected during routine OCR complaint investigations and compliance reviews, and use these findings to develop new breach prevention strategies. Since every covered entity and business associate is eligible for an audit, how will you know if your skilled nursing facility has been selected?

The process begins with an email from [email protected] that requests verification of entity contact information. Once contact information is obtained, OCR will send a questionnaire for the purpose of gathering demographic data. The demographic data collected from the questionnaire will then be complied to create a pool of audit candidates, likely representing a wide range of organizational sizes, types and geographic locations. Audit candidates will then be randomly selected from this audit pool.

It is important to note that your system may incorrectly classify emails from OCR as spam, so monitor your junk or spam folders closely. Ignoring the Information Verification email or the questionnaire (or not locating this OCR communication in your spam folders) will not keep your organization from being entered into the audit pool. OCR will simply use public information about entities that do not respond when creating the audit pool, and therefore a non-responding entity may still be selected for audit or be subject to a compliance review.

If your skilled nursing facility received the OCR questionnaire, it has been included in the audit pool and is subject to a potential audit. Start preparing immediately (see the OCR Audit eBook link at the end of this article for tips on how best to prepare for a pending audit).

If your skilled nursing facility did not receive the OCR Verification email or questionnaire (after having verified this through spam folders) you are likely not in the initial audit pool. However, this does not mean your organization is “safe” from audit, because OCR will use these very audit findings to determine where to focus ongoing enforcement initiatives.

That means if OCR identifies common vulnerabilities in the audited skilled nursing facilities, they will likely double back with an initiative focused on that industry segment. Additionally, it just makes sense to achieve and maintain HIPAA compliance, as all covered entities are subject to random HIPAA audits, as well as audits resulting from a complaint or security breach.

For more information on OCR audit selection processes, or to learn about the actual audit process, anticipated failing points and best practices for audit readiness, download our OCR Audit eBook by clicking here.

John DiMaggio is the CEO at Blue Orange Compliance. To learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit blueorangecompliance.com.