Skip to Content

Phase 2 of the HIPAA Audit Program Begins

Publications - Client Alert | March 28, 2016

The Department of Health and Human Services Office for Civil Rights (OCR) reminded the public this week that Phase 2 of the HIPAA Audit Program (Phase 2) has begun.

The Health Information Technology for Economic and Clinical Health Act (HITECH) requires the OCR conduct periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Phase 1 of the HIPAA Audit Program was, essentially, a pilot audit program assessing covered entities. You can learn more about Phase 1 by clicking here.

Phase 2 Pre-selection Process

OCR is currently identifying the audit targets, and will use a pre-audit process to do so. We know that Phase 2 will include both covered entities and business associates.

What everyone wants to know is how audit targets will be selected. OCR said:

“For this phase of the audit program, OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates. By looking at a broad spectrum of audit candidates, OCR can better assess HIPAA compliance across the industry – factoring in size, types and operations of potential auditees. Sampling criteria for auditee selection will include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.”

OCR has pointed out that initial communications to gather accurate contact information will be sent to the organization via email, and may be incorrectly classified as spam. OCR suggests that your organization check its junk/email spam and assure that emails coming from OSOCRAudit [at] are designated as a safe sender. Organizations must respond to OCR’s initial email request within 14 days.

Audit Selection

OCR anticipates using both desk and on-site audits. OCR will email the target organizations to alert them to the audit process and whether they have been selected for a desk or on-site audit. Organizations can expect that on-site audits will be more comprehensive than desk audits.

The email notification of a desk audit will include an introduction to the OCR audit team, explain the process, and request initial documentation. The organization will have to submit the requested documentation electronically via secured site within 10 business days from the information request. On-site audits will be scheduled with the expectation that the auditors will be present for 3-5 days.

Response and Review

Both on-site and desk audits will have an initial draft findings component on which the organization is to return written comments to OCR within 10 business days. Thereafter, a final audit report will be issued.

OCR is trying to highlight that Phase 2 and the HIPAA Audit Program in general is to be a “compliance improvement activity” – but reminds the public that if an audit indicates a “serious” compliance issue, a compliance investigation may result.

Are You Prepared?

Any communication or letter from the OCR will sound alarm bells for your organization. What is equally alarming is the speed under which OCR expects information to be gathered and delivered. As such, it is critical that any HIPAA covered entity or business associate is always prepared to respond to these requests.

Furthermore, it is important that your organization is on the lookout for these emails and assure that not even one hour is wasted following the receipt of such an email. Talk with your IT department to assure that OCR’s message will not get caught in a spam or junk folder and confirm with the Privacy Officer at your organization there is an active, in-office person who will receive the OCR email during all business hours.

Additional Information

You can read OCR’s press release regarding the Phase 2 program by clicking here.

You can read HHS’s informational page about the Phase 2 HIPAA Audit Program by clicking here.

If your organization is in need of a HIPAA compliance review or training, please contact your Kutak Rock attorney or a member of the National Health Care Group listed below.