Phase 2 HIPAA Audit Program Begins

The Department of Health and Human Services’ Office for Civil Rights has announced that the phase 2 HIPAA audit program has now started. Covered entities are now being emailed to verify contact information and to gather preliminary information.

The initial stage of the phase 2 HIPAA audit program requires OCR to form the sample pool from which covered entities are chosen. The emails have been sent to the contacts OCR has listed for each covered entity. Once contact details have been confirmed, OCR will begin sending out pre-screening questionnaires. The purpose of the questionnaires is to gather information on the size of organizations, the healthcare functions that each performs, and to obtain an up-to-date list of business associates.

OCR will be conducting the phase 2 HIPAA audit program on a geographically representative selection of covered entities, including healthcare providers and health insurers/health plans of all types and sizes.

What to Expect from the Phase 2 HIPAA Audit Program

Jocelyn Samuels announced the launch of the Phase 2 HIPAA audit program at the 24th National HIPAA Summit in the District of Columbia. She explained OCR will be conducting 200 desk-based audits in the first two stages of the program. The first round of 150 audits will take place on covered entities, with the second round of 50 audits to be conducted on business associates.

The desk-based audits will essentially consist of a document check and will look specific aspects of Privacy Rule, Security Rule, and Breach Notification Rule compliance. Samuels said “We’ll be looking at risk analyses and risk management, notices of privacy practices and access and response to requests for access, and content timeliness of notifications.” The audits are expected to be completed by the end of the year.

Samuels did not say when the audits will actually commence, although the process of selection will take some time, as will the collation of data from the pre-audit questionnaires. The verification letters are still being sent and that process should be completed this week. Covered entities are expected to respond within 10 days. After the responses have been received the pre-audit questionnaires will be sent. It is likely to take around 4 to 6 months for the audits to actually commence.

Covered entities selected for audit will be notified and requested to submit a range of documentation via a new web portal set up specifically for the phase 2 HIPAA audit program. The documentation will be assessed by an auditor and comments will be returned to the covered entity for review and comment. After comments have been received, a final report will be sent back to the covered entity within 30 days.

Desk Audits to be Followed with a Round of Full Compliance Audits

The final round of audits will involve site visits and will look at a much broader range of HIPAA compliance issues. If serious compliance issues are discovered by OCR during the desk audits, it may trigger a full compliance review of the organization. The third stage of audits will take between 3-5 days to conduct, and are not expected to start until early 2017.

The aim of the phase 2 HIPAA audit program is to identify any systemic structural issues that OCR can do a better job of addressing. The audits will raise awareness of compliance obligations, and the information gained during the audits will be used by OCR to develop compliance tools and technical guidance to assist covered entities. The results of the audits will also help OCR develop its long-awaited permanent HIPAA audit program.

Further information on the phase 2 HIPAA audit program can be found on the HHS website.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of