The OCR has Launched Phase 2 of the HIPAA Audit Program: What to Expect from OCR's Phase 2 HIPAA Audits

The U.S. Department of Health and Human Services Office for Civil Rights (sometimes called the “OCR”) has launched Phase 2 of the HIPAA Audit Program.  The audits are designed to assess whether covered entities and their business associates are complying with the HIPAA Privacy, Security, and Breach Notification Rules.  The audits will enable OCR to examine potential risks and develop tools to assist the health care industry in preventing breaches of protected health information.  In the face of these audits, it is critical that health care providers and their business associates have formal, written policies and procedures that comply with the requirements of HIPAA and HITECH. 

Who will be selected for a Phase 2 audit?

All health care providers, including doctors’ offices, ambulatory surgery centers, hospitals, etc., as well as their business associates are subject to an audit.  Auditees will be selected based on size, affiliation with other health care organizations, the type of entity and their relationships to individuals, whether an organization is public or private, and geographic factors.  OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.   

What types of audits are being conducted?

Phase 2 will consist of both desk and on-site audits.  The first round of desk audits will focus on covered entities, followed by a second round of desk audits of business associates.  The desk audits will examine compliance with specific HIPAA requirements, and are expected to be completed by December 2016.  The third round of audits will be on-site audits that will target both covered entities and business associates.  The on-site audits will examine a broader scope of HIPAA requirements and will be conducted over a period of three to five days.  An auditee may be selected for both a desk audit and an on-site audit.       

How are the audits being conducted?

OCR is sending emails to covered entities and business associates asking them to verify their contact information.  These entities will then receive a pre-audit questionnaire that requests information about their size, type, and operations.  OCR will use this information to create potential pools of auditees. 

Entities selected for a desk audit are then notified by email and will be asked to provide documents and other data.  Auditees will have ten business days to submit the requested information through OCR’s secure online portal.  OCR then reviews the documentation and develops draft findings.  Auditees have the opportunity to review the findings and submit a response within ten business days.  Those responses will be included in the final audit report, which will be shared with the auditees.   

Entities will also be notified by email if they are selected for an on-site audit.  Like the desk audit, auditees will have ten business days to review the draft findings and submit a response.  OCR will share a copy of the final audit report with the auditee. 

What are the potential implications? 

Audits that reveal serious issues may result in an OCR compliance review, which could result in significant civil money penalties. 

What can you do to prepare?

  • Ensure that your policies and procedures governing privacy, security, and breach notification are up-to-date and compliant.  Many smaller health care providers and business associates either do not have the formal policies and procedures required by HIPAA, or those policies and procedures need to be reviewed and updated to comply with the current regulations.  The health care attorneys at Tydings can help you prepare these documents, train your staff, and otherwise assist with the audits.

  • Ensure that OCR’s emails are not being sent to your spam or junk email folder.  OCR will be sending emails from, and expects covered entities and business associates to check their spam and junk email folders for audit-related correspondence.  You may want to “white list” this email to ensure you receive notifications.

  • Respond to OCR’s requests.  OCR has made it clear that if an entity fails to respond to OCR’s requests for information, it may still be selected for an audit.  In that instance, OCR will simply use publicly available information about the entity.  In addition, failure to respond may trigger a compliance review of the entity.  

  • Prepare a list of business associates.  OCR will be asking covered entities to identify their business associates on the pre-audit questionnaire.  Prepare this list in advance, including the contact information for each business associate, so you are able to respond to this request. 

Please contact Greg Garrett if you have any questions or would like additional information on HIPAA and HITECH compliance, as well as OCR’s Phase 2 Audit Program. 

This alert has been prepared by Tydings for informational purposes only and does not constitute legal advice.