Marh 27, 2018



Hi Jennifer, 

I have been contacted by OCR via email, and they sent me a questionnaire, should I answer it? 

Thanks, Dr. O 


Good question, always best to check.  The Office for Civil Rights (OCR), as we know, are the HIPAA Police - the arm of the Federal Government responsible for enforcing HIPAA compliance on covered entities. The email you received is part of Phase 2 of OCR's Audit Program.  If "Phase 2" sounds ominous, that is because the questionnaires going out are data collection to create a pool for audit.  If this sounds like preparation for invasion, your interpretation is not too far off.  OCR plans to use the data to create potential audit targets for a full scale assessment of compliance.  Questions will cover information such as the size of your practice, type and operations - specifically with regards to your technical, physical and administrative safeguards in place to protect patient protected health information. Here is an overview of Phase 2 -  
If you're thinking deleting or ignoring an email from OCR will keep you off the radar, well, that is just ridiculous.  The reality is you would likely be selected regardless, except OR unless you provided such stellar proof of compliance pre-audit you are checked off the list.  Now, of course not every covered entity is going to be audited by OCR.  But, if you are selected and you do not have in place the required policies and procedures you may be subject to substantial monetary fines. 

We all know we need protections in place when it comes to patient privacy - now the agency in charge is actively auditing, on top of already being one of the most accessible agencies for patient and employee reporting/whistle-blowing.  

How do you pass the questionnaire?  Get your compliance in place (Security Policy at a minimum - conduct your Security Risk Assessment - click here and create your action plan) and work with counsel to respond if selected for inquiry or audit by OCR.  

For our HIPAA policies and procedures, click here -