The first twenty audits conducted by KPMG on behalf of OCR are complete and under review as we speak by OCR. We have published several posts and conducted several webcasts with respect to the audit process, timeline and how to prepare. In our presentations we have covered the types of information requested by the auditors, but not the actual document request list.
The list contained here is the one received from our client. It is instructive as to the types of information you will be asked to produce if audited, but there are a few caveats that I would like to remind everyone of as well.
1. The audit protocol and all of its supporting documentation to include this list are still under review by OCR and subject to revision. If you recall the process that OCR laid out for the pilot phase of the first 20 audits, there would be a review and time to revise the audit protocol, as appropriate, then more audits, and more opportunity to review/revise, with the goal of having a final audit protocol by year’s end. Sue McAndrew, OCR, reconfirmed this when she and I spoke this past week at the NCHICA Academic Medical Centers Privacy & Security Conference in Raleigh/Durham. So the first caveat the list is subject to change.
2. Like any audit tool, this document request list may be applied differently depending on the size and type of organization and/or there may also be other forms of the list for other organizations. The list shared here went to a hospital. We understand that there are multiple, context-based audit protocols, as well as protocols for the audits of particular aspects of the Rules, per the contract between the OCR and KPMG. Sue McAndrew also provided that they hope to have the final protocol(s) and supporting documentation available for everyone before year’s end.
As we have shared with many of your, the list herein is communicated as an attachment to the Notice of Audit letter that each site receives to start the audit process. It is related to the first requirement in the audit process, providing documentation to the audit team within 10 business days of the date of the audit letter, and represents the first opportunity for the site to demonstrate readiness. Collecting and providing the documentation on the list can be a daunting task for large institutions, organizations with decentralized execution, of if organizations don’t have their documentation well organized and accessible. As you look at this list be thinking about how readily you can collect, organize and transmit your responses to this request. Is your documentation current? Is it complete? Does all of the “supporting” documentation referenced in your policies/procedures live together? Does operational practice align with what is communicated in your documentation? These are all important questions to answer before the audit. So, without further adieu, here is the list: