The Compliancy Group HIPAA OCR Audit Response Program

Modified on Tue, 13 Feb at 5:47 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Subscribers to The Guard have access to Compliancy Group’s HIPAA OCR (Office for Civil Rights) Audit Response Program (OCR ARP). Under our OCR Audit Response Program, we assist users in the event of an HHS Office for Civil Rights (OCR) HIPAA investigation or HIPAA audit. We assist users by gathering documentation and reports, from the user's unique Guard compliance program. The documentation we gather is whatever documentation that OCR has asked the client to provide to OCR.  We provide the documentation to the client. The client then forwards the information to OCR.  

The specific OCR information requests determine what documentation we provide. We can provide specific policies and procedures; audit reports; training attestations; or other documentation that The Guard is capable of generating.  When OCR requests documentation from a client, the request typically has a response deadline. Through the ARP, Compliancy Group works with clients' organizations to provide documentation so the client can meet these OCR deadlines. If and when OCR requires the client to provide follow-up documentation, we gather that documentation from The Guard, to the extent we are able to do so, and provide it to the client. The client then provides the documentation to the OCR. The documentation, as evidence of the client's compliance efforts, can be used by the client to demonstrate that the client has made a "good-faith" effort to comply with HIPAA regulations. The OCR Audit Response Program does not include or function as a consultant or legal services. (If, for example, OCR asks a client a question requiring the client to produce documentation and the question involves interpretation of the law, we cannot assist with the interpretation).

This article covers what the OCR Audit Response Program is, how it functions, what a Corrective Action Plan (CAP) is, and how CG assists clients under the OCR ARP and with a CAP.

When Does OCR Contact Clients?

The Department of Health and Human Services’ Office for Civil Rights (OCR) may contact covered entities and business associates to speak with them about HIPAA complaints made or filed against them, or about potential data breaches. OCR may decide to formally investigate a complaint or allegation or data breach.

During its decision-making process, or at a later point, OCR may write to a covered entity or business associate, notify the covered entity or business associate of allegations of HIPAA non-compliance, and request that the entity provide specific information or documentation. Requests may include requests for policies and procedures that were in place during a specific time frame; requests for information about whether an entity performed a security risk assessment; or requests for other documents, such as documents showing an entity’s workforce was trained on particular aspects of a HIPAA rule or a policy or procedure.

If a client has been contacted by OCR, the client should contact Compliancy Group support so we discuss how to prepare a response to OCR.  


Email: support@compliancygroup.com

Call the HIPAA Hotline: (855.85.HIPAA) 855.854.4722, press 2 for support


What Does the Audit Response Cover?
As part of our Audit Response Program, we will work with clients’/organizations’ compliance officers to meet deadlines for requests for information and documents; requests for reports that can be accessed from The Guard, and follow-up requests for documents and information.  There are 2 scenarios when the ARP kicks in:

1. CAP: OCR requests may be made through a CAP, or a corrective action program. A CAP is issued after OCR has imposed a civil monetary penalty. A CAP requires organizations to develop, maintain, and update policies and procedures (typically the CAP lasts for one or two years). We work with clients to provide OCR with documents in The Guard that are responsive to CAP requests. We provide the documentation to the client, and the client provides the documentation to OCR.

2. Sometimes, when a client onboards, the client is not yet in a CAP, but OCR is investigating the client's compliance to determine whether a CAP or other enforcement action is warranted. In this case, OCR may ask the client whether it has particular policies and procedures. The client may ask for information in the form of a "Data Request" (commonly, "Initial Data Request.")We can assist under the ARP by providing the client with the policies and procedures, audits, or training, that the client may already have completed and stored with us. The client then can provide the documents to OCR. The documents themselves serve to verify and validate a client’s good-faith compliance efforts. To “verify” something is to state that it is true. To “validate” something is to back up that claim with evidence.

Clients must notify us of any document submission deadlines OCR has imposed, whether under a CAP or any other request for information.  We recommend that clients share as much of the CAP request or document request as possible, to ensure an effective response.


What Kinds of Investigations Do We Assist With?
Our assistance with OCR HIPAA investigations is prospective, not retrospective. Compliancy Group provides documentation that clients have stored and completed through The Guard since becoming clients with us. 


We do not assist with remediating breaches or violations (or provide legal advice with respect to these breaches/violations) that occurred before someone became a client. The documents we provide to clients who sustained a violation before working with us, whether requested under a CAP or other request for information, are limited to documentation of what the client has done while working with us to mitigate the effects of a "pre-CG violation." (Mitigation measures may include developing policies and procedures, conducting security risk analyses, imposing appropriate employee sanctions, and similar measures). If OCR wants documentation of a policy and procedure that was in place before an organization became a client of ours, we cannot provide that documentation, since we do not have it.  

In the event an investigation begins after someone becomes a CG client, Compliancy Group can assist that client by gathering documentation responsive to OCR document requests. Compliancy Group can provide any evidence uploaded to The Guard by a client to support their compliance. We provide the documentation to the client. The client furnishes the information to OCR.

What Does the Audit Response Program NOT Cover?
The OCR Audit Response Program covers situations where a client has been contacted by the Office for Civil Rights of the Department of Health and Human Services. The OCR Audit Response Program does not apply to/is not available for:

1. State agency/state law investigations or audits.

2. Audits, including vendor audits, by private parties.

3. Investigations by federal agencies other than HHS’ OCR. 

4. Assistance with inquiries made of clients that are not related to HIPAA or the HIPAA regulations.

Note about clients who are represented by an attorney:
When a client contacts us about an OCR CAP or Data Request to determine whether enforcement action is required, the client may already be represented by an attorney with respect to the OCR matter. If a client is already represented, Compliancy Group recommends that the client notify their attorney that the client has asked Compliancy Group whether Compliancy Group can assist with the OCR or data request. The attorney might wish to be informed of the audit response program and Compliancy Group's role in providing it, for purposes of potential extension of attorney-client provilege to Compliancy Group's work. 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article