4. There's overlap between undergoing an investigation and undergoing an audit. Sher-Jan referenced an incident at the UCLA Health System and a recent incident at Phoenix Cardiac Surgery to help prove his point. "One of the big things that got UCLA in trouble is they couldn't provide proof of training around privacy and security," he said. "Just to point out, there is a lot of overlap whether you're audited or investigated." Looking at the PCS resolution agreement, he said, the organization was called out on a number of different things and were "in complete ignorance of the privacy and compliance rules," he said. "And that's something to point out [about] UCLA as well," he said. "They didn't have a security official identified, they didn't have a risk analysis, so I'd imagine there were a number of these safeguards that weren't in place." Whether you're being investigated or audited, he continued, there's significant overlap in terms of where OCR looks, "and the more they see you're not in compliance, the more they will dig and the more they will find," he said. 

[See also: HIPAA 5010 deadline stays with bit of leniency.]

5. It's all about clean, clear documentation. "One of the things about auditors that makes them happy is good, complete documentation upfront," said Apgar. Having good documentation, he said, will also make them less likely to want to "look under the rug … If you don't have that, they'll get suspicious and turn a little nastier." From a bottom line perspective, said Apgar, organizations should expect a letter from OCR, requesting information within 10 business days. "And that's 10 days since the letter was sent, not 10 days since you receive it," he said. "If you're the CEO, it takes a while for the letter to percolate down, so now you're way behind the 8 ball." Therefore, it's key to have documentation prepared ahead of time, paying attention to programs, policies, procedures, incident response plans and risk analysis. "That all needs to be centralized, so you can quickly grab it and make it available to the auditors," said Apgar. 

6. Know auditors can look at anything and everything. The last thing that's important to know, said Apgar, is whether the auditor can look or review patient information. "And the answer is yes, they can because they're working on behalf of the OCR and are in contract with them," he said. "Under the HIPAA regulation, if the secretary, meaning OCR, is investigating or auditing, then they have the right to see anything and everything." In the end, said Apgar, if you're information is up-to-date and in-line with HIPAA rules, you're good to go. "It needs to be current, accurate, complete and not only implemented, but enforceable," he said. 

Follow Michelle McNickle on Twitter, @Michelle_writes