Skip to Content

Group Health Plans and Their Business Associates: Phase 2 of the HIPAA Audit Program Is Underway

Publications | April 11, 2016

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently reminded the public that Phase 2 of the HIPAA Audit Program (Phase 2) has begun. Our October 1, 2015 Client Alert provides additional background information regarding the Phase 2 audits.

The Health Information Technology for Economic and Clinical Health Act (HITECH) requires the OCR to conduct periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Phase 1 of the HIPAA Audit Program was, essentially, a pilot audit program assessing covered entities. You can learn more about Phase 1 by clicking here.

Phase 2 Pre-selection Process

OCR is currently identifying the audit targets, and will use a pre-audit process to do so. Phase 2 will include both covered entities (such as group health plans) and business associates.

What everyone wants to know is how OCR will select audit targets. OCR officials have informally noted that all covered entities that have contact information on file at HHS/OCR have been sent the pre-audit email. For example, OCR could have contact information on file because a business associate or covered entity reported a HIPAA breach.

Initial communications will be sent via email, which could be incorrectly classified as spam. OCR suggests that your organization check its junk/spam email and assure that emails coming from are designated as a safe sender. Organizations must respond to OCR’s initial email request within 14 days. Among other things, failing to respond to the email request could raise suspicions at OCR and result in additional inquiries.


OCR anticipates using both desk and on-site audits. We expect that on-site audits will be more comprehensive than desk audits. On-site audits will likely last for 3 – 5 days. Both on-site and desk audits will have an initial draft findings component. The audited organization must return the initial draft findings component with written comments to OCR within 10 business days. Thereafter, a final audit report will be issued.

OCR is trying to highlight that Phase 2 and the HIPAA Audit Program in general is to be a “compliance improvement activity” – but reminds the public that if an audit indicates a “serious” compliance issue, a compliance investigation may result.

Are You Prepared?

Any communication from the OCR should be given immediate attention, especially given the speed with which OCR expects information to be gathered and delivered. As such, it is critical that any HIPAA covered entity or business associate be prepared to respond to these requests.

To help prepare, business associates and covered entities (e.g., group health plans) should be on the lookout for emails from the OCR. We recommend contacting your IT department to assure that OCR’s email will not get caught in a spam or junk folder. You should also check inactive email addresses to which an OCR email may have been sent. Your Privacy Officer should confirm there is an active, in-office person who will receive the OCR email during all business hours. You should also ensure that all HIPAA policies and procedures are update to date, that group health plans and other covered entities have entered into business associate agreements, and the records HIPAA requires to be retained are organized in a central location.

Additional Information

You can read OCR's press release regarding the Phase 2 program by clicking here.

You can read HHS’s informational page about the Phase 2 HIPAA Audit Program by clicking here

To help ensure compliance with HIPAA, you should consider conducing a HIPAA compliance review or additional HIPAA training. For additional information, please contact a member of our Employee Benefits Practice Group listed in the right-hand column.