Set Yourself Up for Success: Preparing for an OCR Inspection in Healthcare

Amber Ratcliffe
Female healthcare compliance officer completing an OCR inspection

As a key member of your facility’s healthcare compliance programming, you understand the significance of regulatory compliance and the critical role it plays in ensuring the privacy and security of patient information. One of the many things you’re tasked with as a leader of compliance is knowing what’s involved with an Office for Civil Rights (OCR) audit. Here’s what you need to know and how to set yourself up for a successful OCR inspection.

Have more questions about preparing for an OSHA, OIG, CMS, or private payer inspection? Download Compliance Reports You Can’t Live Without.

What Does the Office for Civil Rights Oversee in Healthcare?

As a branch of the U.S. Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) provides oversight of safe and ethical handling of patient data and privacy. The OCR is responsible for enforcing the Health Information Portability and Accountability Act (HIPAA) which includes:

  • Privacy Rule: The HIPAA Privacy Rule establishes standards for the protection of individuals’ protected health information (PHI). This rule governs how healthcare providers, health plans, and healthcare clearinghouses handle and safeguard PHI.
  • Security Rule: The HIPAA Security Rule sets standards for securing electronic PHI (ePHI). It mandates the implementation of administrative, technical, and physical safeguards to protect ePHI.
  • Breach Notification Rule: The HIPAA Breach Notification Rule requires covered entities to report breaches of unsecured PHI to affected individuals, OCR, and, in certain cases, the media.

In addition to HIPAA, the OCR ensures equal access to certain health and human services. This means that the OCR may investigate complaints filed by individuals who believe their rights have been violated under the laws and regulations it enforces. A variety of federal laws prohibit discrimination on the basis of race, color, national origin, age, disability, and sex in healthcare services and programs. Specifically, the laws enforced by the HHS and OCR are:

  • Title VI of the Civil Rights Act of 1964: Prohibits discrimination on the basis of race, color, and national origin.
  • Title II of the Americans with Disabilities Act (ADA): Ensures that individuals with disabilities have equal access to healthcare services and facilities.
  • Section 504 of the Rehabilitation Act of 1973: Prohibits discrimination against individuals with disabilities in programs receiving federal financial assistance.
  • Section 1557 of the Affordable Care Act: Prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in healthcare programs and activities.

What Is the Scope of an OCR Inspection?

An OCR inspector will assess your organization’s internal processes for handling patient data. The inspector will ask to see all relevant documentation, policies, incidents, and training records related to the privacy and security of patient data. Your cooperation with the inspection entails ensuring your documents and policies are available and readily accessible. The quicker you can produce what’s requested, the quicker — and less painful — the inspection will be. 

The Most Common OCR Inspection Violations

In the healthcare industry, HIPAA violations and breaches of patient privacy are the most common citations made during an inspection by the OCR. Any HIPAA-covered entity is legally required to follow HIPAA laws, and can incur hefty fines if these laws are violated. HIPAA-covered entities include: healthcare providers (individuals or organizations) that conduct certain transactions in electronic form, healthcare clearinghouses, and healthcare plans (including commercial, Medicare, and Medicaid).

An OCR inspection violation or HIPAA breach can lead to additional audits, financial penalties, and your organization added to OCR’s list of open investigations. According to the HIPAA Journal, the 10 most common HIPAA violations to avoid are:

  1. Non-essential access of healthcare records 
  2. Insufficient or non-existent security risk analysis
  3. Insufficient or non-existent management of security risks
  4. Denying or excessively delaying patients’ access to health records
  5. Lack of HIPAA-compliant business associate agreements
  6. Inadequate ePHI access controls
  7. Lack of proper encryption or ePHI safeguards
  8. Noncompliance with breach notification deadline (60 days)
  9. Impermissible or invalid PHI disclosures
  10. Improper PHI disposal

Download a free and ready-to-use HIPAA Breach Notification Policy.

Which Reports Do You Need To Satisfy an OCR Inspection?

Completing an OCR inspection successfully is all about proper tracking and reporting. Your organization’s ability to practice regulatory compliance is only as good as what’s been documented. Below are four essential reports you should have on hand not only during an OCR inspection, but on an ongoing basis for internal auditing, presenting to your board, and monitoring of staff acknowledgements and training progress.

Incidents Report

It is required by law that all covered entities document and report any instance of a HIPAA breach or violation of privacy protected patient data. A compliance report that serves as a record of all incident reports made is key to demonstrating accountability, transparency, and compliance. A comprehensive report of incidents displays essential data including the names of those involved, the date and time of the violation, location, description of the event, security concerns, and more.

Policies Report

As a HIPAA-covered entity, an OCR inspector will be assessing your organization’s ability to maintain privacy policies, update when needed, inform staff, and achieve proper implementation. The easiest way to demonstrate your compliance is by compiling a comprehensive record, or report, of all policies and procedures that align with HIPAA regulations. Ensure that these policies are up to date and be able to show staff acknowledgments. You will also want to keep a record of all previous policies to demonstrate program improvements and compliance with updated regulations. 

Courses Report

Education and training are essential components of OCR compliance. Ensure that your staff, from clinicians to administrative personnel, receives regular training and that all training is well-documented. You need a report that proves to an inspector that your staff understands their roles in protecting patient information. Courses should include topics on how to comply with HIPAA regulations, security best practices, recognizing phishing attempts, and the importance of password security.

Course Performance Report

Maintain a comprehensive report on the status of all employee training for HIPAA and compliance-related topics. An OCR inspector will want to verify your organization offers sufficient training to any staff who handle PHI. The OCR needs to know that your staff is not only informed of HIPAA laws and regulatory updates, but comprehends the learning material, is able to put it into action, and receives regular refreshers.  

How Technology Can Simplify OCR Compliance

In conclusion, preparing for an OCR inspection is a continuous process that requires dedication, diligence, and a commitment to protecting patient information. Technology can help to maintain a strong compliance program and prepare the right reports to navigate an OCR inspection successfully. Compliance is not just a regulatory requirement; it’s a commitment to patient trust and safety.

While compliance requirements have grown in complexity as regulations evolve, today’s technology offers ways for simplifying the process. Advancements in cloud-based software with remote access offer features like automation, digital document storage, and schedulable reports that can be customized. Organizations have the luxury of tailoring a compliance package that meets their specific needs. Watch this short video for an overview of what a modern, all-in-one compliance platform can do.