3 hot buttons that can trigger an OCR audit

This past November, the healthcare industry got its first taste of the new spot-check audits performed by the Office of Civil Rights to enforce HIPAA compliance efforts. Now, in the midst of the OCR pilot program, many providers are wondering if they'll be among the unlucky few to undergo an OCR audit.

"It's an issue that's getting a lot of air time right now, and a lot of people are wondering whether or when or what would cause them to be on this list of organizations that could get a call or a knock on the door from OCR," said Mahmood Sher-Jan, vice president of product management at ID Experts.

"It is like winning the lottery," said Chris Apgar, president and CEO at Apgar & Associates. "It's true – only 150 audits this calendar year, and the latest from the Office of Civil Rights is it's anticipating the program will start off in June instead of July. They anticipate finishing the pilots and collecting all the data by the end of this month, and doing the evaluation and modifications to the program to make it more consistent. So, if you happen to be lucky and your number comes up, there are really a few reasons why you're going to get an audit."

Sher-Jan and Apgar outline three hot buttons that could trigger an OCR audit.

1. Prior breaches involving 500 or more patient records. If you've reported one or more breaches affecting 500 patient records or more, said Sher-Jan, your chances of being audited could go up. "It's the types of event that would attract a headline for your organization and get you a lot of national coverage that could make you a target for being audited or a poster boy for lack of compliance," he said. There may not be hard evidence proving numerous breaches automatically calls for an audit, he added, but logically it is something to keep in mind. "The more your entity continues to get air time at the OCR and in the media, I think there is a probability that your chances would improve." The number 500 is key in keeping track of these types of breaches, since a breach of this size requires notifications to be made not only to those affected, but also OCR. "That's when you show up on the Wall of Shame of OCR, and if you show up on that wall, your chances could increase," said Sher-Jan. 

[See also: Phoenix practice to pay $100,000 to settle HIPAA case.]