DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Subscribers to The Guard have access to Compliancy Group’s HIPAA OCR (Office for Civil Rights) Audit Response Program (OCR ARP). Under our OCR Audit Response Program, we assist users in the event of an HHS Office for Civil Rights (OCR) HIPAA investigation or HIPAA audit. We assist users by gathering documentation and reports, from the user's unique Guard compliance program. The documentation we gather is whatever documentation that OCR has asked the client to provide to OCR. We provide the documentation to the client. The client then forwards the information to OCR.
The specific OCR information requests determine what documentation we provide. We can provide specific policies and procedures; audit reports; training attestations; or other documentation that The Guard is capable of generating. When OCR requests documentation from a client, the request typically has a response deadline. Through the ARP, Compliancy Group works with clients' organizations to provide documentation so the client can meet these OCR deadlines. If and when OCR requires the client to provide follow-up documentation, we gather that documentation from The Guard, to the extent we are able to do so, and provide it to the client. The client then provides the documentation to the OCR. The OCR Audit Response Program does not include or function as a consultant or legal services. (If, for example, OCR asks a client a question requiring the client to produce documentation and the question involves interpretation of the law, we cannot assist with the interpretation).
This article covers what the OCR Audit Response Program is, how it functions, what a Corrective Action Plan (CAP) is, and how CG assists clients under the OCR ARP and with a CAP.
When Does OCR Contact Clients?
The Department of Health and Human Services’ Office for Civil Rights (OCR) may contact covered entities and business associates to speak with them about HIPAA complaints made or filed against them, or about potential data breaches. OCR may decide to formally investigate a complaint or allegation or data breach.
During its decision-making process, or at a later point, OCR may write to a covered entity or business associate, notify the covered entity or business associate of allegations of HIPAA non-compliance, and request that the entity provide specific information or documentation. Requests may include requests for policies and procedures that were in place during a specific time frame; requests for information about whether an entity performed a security risk assessment; or requests for other documents, such as documents showing an entity’s workforce was trained on particular aspects of a HIPAA rule or a policy or procedure.
If a client has been contacted by OCR, the client should contact Compliancy Group support so we discuss how to prepare a response to OCR.
Email: [email protected]
Call the HIPAA Hotline: (855.85.HIPAA) 855.854.4722, press 2 for support
What Does the Audit Response Cover?
As part of our Audit Response Program, we will work with clients’/organizations’ compliance officers to meet deadlines for requests for information and documents; requests for reports that can be accessed from The Guard, and follow-up requests for documents and information. There are 2 scenarios when the ARP kicks in:
1. CAP: OCR requests may be made through a CAP, or a corrective action program. A CAP is issued after OCR has imposed a civil monetary penalty. A CAP requires organizations to develop, maintain, and update policies and procedures (typically the CAP lasts for one or two years). We work with clients to provide OCR with documents created and maintained in The Guard that are responsive to CAP requests. We provide the documentation to the client, and the client provides the documentation to OCR.
2. Sometimes, when a client onboards, the client is not yet in a CAP, but OCR is investigating the client's compliance to determine whether a CAP or other enforcement action is warranted. In this case, OCR may ask the client whether it has particular policies and procedures, and may ask other questions or seek other information. This request for information is called a Data Request. The first such request is called an Initial Data Request.
We can assist with a Data Request by providing the client with the policies and procedures, audits, or training, that the client may already have completed using The Guard. The client then can provide responsive documents to OCR.
Clients should notify us of any document submission deadlines OCR has imposed, whether under a CAP or any other request for information. We recommend that clients share as much of the CAP request or document request as possible, to ensure an effective response.
What Kinds of Investigations Do We Assist With?
Our assistance with OCR HIPAA investigations is prospective, not retrospective. Compliancy Group provides documentation that clients have stored and completed through The Guard since becoming clients with us.
We do not assist with remediating breaches or violations (or provide legal advice with respect to these breaches/violations). We do not provide documentation that was generated or completed before someone became a client of ours. The documents we provide to clients (to give to OCR) who sustained a violation before working with us, whether requested under a CAP or other request for information, are limited to documentation of what the client has done in The Guard since working with us. If OCR wants documentation of a policy and procedure that was in place before an organization became a client of ours, we do not provide that documentation.
In the event an investigation begins after someone becomes a CG client, Compliancy Group assists that client by gathering documentation from The Guard that is responsive to OCR document requests. We provide the documentation to the client. The client furnishes the information to OCR.
What Does the Audit Response Program NOT Cover?
The OCR Audit Response Program covers situations where a client has been contacted by the Office for Civil Rights of the Department of Health and Human Services. The OCR Audit Response Program does not apply to/is not available for:
1. State agency/state law investigations or audits.
2. Audits, including vendor audits, by private parties.
3. Investigations by federal agencies other than HHS’ OCR.
4. Assistance with inquiries made of clients that are not related to HIPAA or the HIPAA regulations.
Note about clients who are represented by an attorney:
When a client contacts us about an OCR CAP or Data Request to determine whether enforcement action is required, the client may already be represented by an attorney with respect to the OCR matter. If a client is already represented, Compliancy Group recommends that the client notify their attorney that the client has asked Compliancy Group whether Compliancy Group can assist with the OCR or data request. The attorney might wish to be informed of the audit response program and Compliancy Group's role in providing it, for purposes of potential extension of attorney-client privilege to Compliancy Group's work.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article