Get Live Chat Request a Callback Get live demo

← Back

7 steps to pass, or completely avoid, an OCR security audit


An OCR audit is usually triggered by one of two events: A complaint was filed by a patient against a medical practice or one was filed by an internal whistleblower by reporting a breach to OCR.

“Breaches affecting 500 individuals, or more must be reported to OCR, in addition to other reporting requirements,” explained Troy Young, Chief Technology Officer at AdvancedMD, who recently completed a master’s degree in cybersecurity from Utah Valley University. “However, there’s no direct correlation between the magnitude of a breach and OCR’s fine.”

Large fines, no matter the discrepancy size
A healthcare organization can be penalized with a large fine for even minor breaches if they make no effort to comply. The Department of Health and Human Services sets the annual limits based on the organization’s “level of culpability” for the violation.

“Between April 2003 and July 2018, more than 180,000 complaints were investigated by OCR,” Young reported. “Of those, more than 37,500 were what I would consider ‘audited,’ but only 55 resulted in financial penalties. The objective is not really to avoid penalties; it is to avoid the audit or make it as painless as possible.”

There are seven steps organizations should take to avoid or pass an OCR audit, according to Young.

Step 1: Educate, educate, educate
“As a first step, the organization must educate all staff members on requirements within the Office of the National Coordinator for Health IT Guide to Privacy and Security of Electronic Health Information,” he advised. “The guide discusses providers’ responsibilities under HIPAA; the privacy and security requirements of the Meaningful Use Programs; and approaches for implementing a security management process.” The remaining six steps are best practices and recommendations covered in the ONC Guide to Privacy and Security, Young said.

Step 2: Hire a security officer
“Designate a security officer to safeguard the patients’ electronic protected health information from unauthorized access by implementing cybersecurity best practices and coordinating efforts.” Young advised.

Step 3: Policies and procedures
Next, review documentation of policies and procedures, since every organization is required to adopt reasonable and appropriate policies and procedures to comply with the security regulations, Young says.

Step 4: Performing a security risk analysis
A security risk analysis is another key step healthcare provider organizations should take in order to avoid or pass an OCR audit, Young said. “By performing a risk assessment, an organization can identify compliance gaps and put a plan in place to correct the issues and pass the audit,” he said. “The annual assessment covers physical, administrative, technical and organizational components.”

Step 5: Vendors & contractors
A security officer should review EHR and other software packages, discussing data protection with the vendor, Young adds. Organizations using on-premise EHRs need onsite staff to maintain and oversee the hardware and software, with regular anti-virus and anti-malware software installations on all computers, daily data back-up, and regular data back-up tests, he advised.

Step 6: Review vendor & contractor agreements
Also, healthcare organizations should review business associate agreements with all vendors/contractors who have access to PHI, Young said.

“A business associate is any person or organization that interacts with the organization’s PHI,” he explained. “The organization must make sure all business associates perform risk assessments annually. Whether it’s a referring physician, software vendor, laboratory, or medical imaging group who’s handling the records, their breach will also affect the organization.”

Step 7: Phishing, passwords and unencrypted PHI
In addition to regular educational sessions on the ONC’s Guide to Privacy and Security, this includes being alert to phishing emails, setting strong passwords and regularly updating them, ensuring information is sent to the correct recipients, and carefully handling unencrypted PHI, he said.

The full article includes more in-depth information you need to do in order to avoid an audit.

Read the entire article in HealthCare IT News.

Troy Young | AdvancedMD

Troy Young, AdvancedMD CTO

Article courtesy of Bill Siwicki of Healthcare IT News, a HIMSS Media publication.


See these additional free eGuides that are sure to help you stay up-to-date on security issues within your EHR:

Boost EHR security: 5 features to look for.

How to Know if Your EHR Software is Mature.

Topic: Uncategorized

Other Resources Related to This Topic


2023 Fall Release On-Demand Webinar

We’re excited to share the new features and many enhancements to our practice management, EHR,...


What You Should Know About Medicaid Redetermination

In this recorded webinar you’ll learn how to redetermine the eligibility of your client’s Medicaid...


Experts answer your HIPAA compliance and 405(d) questions

In this recorded webinar, we’ll highlight changes to HIPAA regulations and highlight best cybersecurity practices....

“The money I have invested in AdvancedMD is miniscule compared to the return. I have never been more efficient – ever – in my professional life as I am now.”

Jed Shay, MD
The Pain Care Center

Read the story  ›

“[Our] patients are very well-educated and well-informed, and they want to see results quickly. The practice has to run extremely efficiently and be accessible to them. The nice thing about [AdvancedMD] is it has allowed me to be more efficient both in and out of the office. Now I don’t have to come back into the office, which is great for my family and everything else. It saves me a lot of time – probably an hour a day on the three days I work in the second office.”

Keith Berkowitz, MD
Center for Balanced Health

Read the story  ›
Estaban Lavato, MD - La Loma Medical Center

“The best thing I ever did in private practice was getting AdvancedMD—it has liberated me.”

Estaban Lavato, MD
La Loma Medical Center

“Having integrated practice management and EHR is absolutely wonderful, you don’t have to flip back and forth between systems—all of your information is at hand when needed.”

Raju Raval, MD

Read the story  ›