On March 21, 2016, The HHS Office for Civil Rights (“OCR”) announced that the Phase 2 of HIPAA audits are now underway. The purpose of the audits is to assess the compliance of covered entities and business associates with HIPAA Privacy, Security and Breach Notification Rules. OCR intends to use the information gained from audits for compliance improvement activities such as enforcement tools, complaint investigations and compliance reviews.
Every covered entity from health care providers and organizations to health plans and business associates are eligible for an audit. OCR will not audit entities that have an open complaint investigation or are currently undergoing a compliance review.
The first and second set of audits will be desk audits for covered entities and business associates. All desk audits should be completed by the end of December 2016. The third set of audits will be more comprehensive than the first two rounds and conducted onsite.
OCR is currently contacting potential auditees by email to verify their contact information. All business associates and covered entities should look for an email from OSOCRAudit@hhs.gov. Be sure to check junk and spam folders regularly, as OCR communications can be mistaken as spam. It is important to respond promptly to any communication received from the OCR.
The process is as follows:
Audit preparation steps include: