Phase 2 of HIPAA Audit Program Now Underway

Phase 2 of HIPAA Audit Program Now Underway


Published: March 28th, 2016

On March 21, 2016, The HHS Office for Civil Rights (“OCR”) announced that the Phase 2 of HIPAA audits are now underway.  The purpose of the audits is to assess the compliance of covered entities and business associates with HIPAA Privacy, Security and Breach Notification Rules.  OCR intends to use the information gained from audits for compliance improvement activities such as enforcement tools, complaint investigations and compliance reviews.

Who will be audited?

Every covered entity from health care providers and organizations to health plans and business associates are eligible for an audit. OCR will not audit entities that have an open complaint investigation or are currently undergoing a compliance review.

What to expect?

The first and second set of audits will be desk audits for covered entities and business associates. All desk audits should be completed by the end of December 2016. The third set of audits will be more comprehensive than the first two rounds and conducted onsite.

OCR is currently contacting potential auditees by email to verify their contact information. All business associates and covered entities should look for an email from OSOCRAudit@hhs.gov. Be sure to check junk and spam folders regularly, as OCR communications can be mistaken as spam. It is important to respond promptly to any communication received from the OCR.

The process is as follows:

  • A letter will be sent by email with a pre-audit questionnaire; requesting information about the size, type, and operations of the organization.
  • Complete the questionnaire.
  • If selected for an audit, entities must produce their policies and procedures.
  • Selected entities will submit documents online through the audit portal on OCR’s website.
  • OCR findings will be shared with the entity.
  • The entity will have an opportunity to respond to the findings, and written responses will be included in the final report.

How to prepare?

Audit preparation steps include:

  • Make sure to check all emails, including junk and spam folders, regularly for emails from OCR.
  • Review all policies and procedures to ensure compliance with current HIPAA regulations.
  • Consider conducting an internal audit to identify any deficiencies or areas for improvement.
  • Address any identified deficiencies or issues.