Skip Navigation

OCR is now evaluating the Pilot Audit Program to further improve it

The General Approach of the Evaluation Study

  •  Examination of the pilot audit program’s sampling methodology, workpapers, and supporting documentation to answer a series of research questions designed to understand the pilot program and use the information to drive outcomes. 
  • Request for audited entity input on the pilot audit program through a non-invasive online survey. 
  • Selection of a sample of health care organizations audited in the pilot program for input through further inquiries and/or inspection of documents.

OCR is using the evaluation to verify whether the pilot audit protocol provides the flexible, scalable tools it needs to assess and improve compliance of health care organizations. The evaluation also is intended to improve the audit program design and audited entity selection process. This will aid both consumers and health care organizations by ensuring a firm foundation for expansion of the audit program to examine the compliance efforts of more and different types of entities, including business associates. OCR will post lessons learned from the audit program to help organizations address common compliance challenges, learn how to conduct their own self audits, and better understand the process should they be selected for an audit in the future.

Expectations for Participating Entities

The evaluation will focus on the pilot audit program’s effectiveness, analyze the program’s strengths and weaknesses, and give recommendations for how OCR conducts future audits. The evaluation will focus on program design, implementation and the experience of the covered entities that were audited during the pilot. No direct action is needed of entities that did not participate in the pilot audit program.

The evaluation team will coordinate with a subset of the 115 entities (approximately 8-10) to arrive at a mutually agreeable time to review their experiences. Details are below.

Selected Entities Will

Selected Entities Will Not

Receive advanced notice of at least a week to coordinate personnel and prepare responses to any minor, clearly-defined requests.

Receive any additional findings or observations as part of this evaluation.

Have open lines of communication for any questions and to avoid any surprise requests.

Be expected to provide extensive documents or resources as the evaluation will mostly leverage documents from the pilot audits.

Contribute to improving the audit program through their feedback, helping make a more efficient and effective audit program.

Be subject to on-site visits.

Have the opportunity to convey efforts taken to remediate findings or observations from the pilot audit.

Be provided opportunities to refute findings noted in their audit report.


OCR will provide information about the evaluation to selected entity officials and staff and can address any questions that entities have about the evaluation and their roles in supporting the evaluation. Between March 2013 and August 2013 the evaluation team will examine the audit working papers and audit reports of selected entities. All of these documents will be provided by OCR to the evaluation team.

In July 2013, an online survey will be distributed to the 115 covered entities audited as part of the pilot program. OCR values feedback and encourages all pilot-audited entities to complete the survey. Responses will remain confidential. The evaluation team will select approximately 8-10 entities, based on survey results, for further interview in August 2013. The evaluation results and recommendations will be provided to OCR in September 2013.

OCR greatly appreciates support for its efforts to develop and enforce strong health information privacy and security protections.