Phase 2 HIPAA Audit Protocol Released

The Department of Health and Human Services’ Office for Civil Rights published the new phase 2 HIPAA audit protocol this week. The protocol details the inquiries that will be made when the audits are conducted later this year.

The second round of audits has been much delayed, and while the OCR has indicated progress was being made, the publication of the phase 2 HIPAA audit protocol suggests that the delays have come to an end and the audits will certainly be progressing as planned.

Since the first round of audits took place in 2011/2012 the Health Insurance Portability and Accountability Act has been amended. The Omnibus Final Rule, which was published on Jan. 25, 2013, introduced a number of changes which needed to be incorporated into the phase 2 HIPAA audit protocol.

The Omnibus Final Rule introduced many changes including strengthening privacy protections for patients and permitted them to obtain an electronic copy of their protected health information from their healthcare providers. Additional restrictions were placed on the use of PHI for marketing and fundraising, exceptions to the Breach Notification Rule were amended. A number of changes were also introduced concerning Business Associates of covered entities.

These changes have now been incorporated into the phase 2 HIPAA audit protocol. Covered entities will be assessed on compliance with the new provisions, in addition to those detailed in the Privacy Rule, Security Rule, and Breach Notification Rule.

While the list of potential elements of HIPAA Rules that OCR can potentially assess is long, the main focus is expected to be on risk analyses, risk management, notices of privacy practices, how organizations are responding to requests from patients to obtain a copy of their PHI, and timeliness of breach notifications.

The Phase 2 HIPAA Audit Protocol Includes A Broad Range of Potential Inquiries

OCR officials previously said that phase 2 of the HIPAA compliance audits would be much narrower in scope than the first round of audits, although the list of potential inquiries that OCR will be making has actually increased. Over 180 different aspects of the Privacy, Security, and Breach Notification Rules could potentially be assessed by OCR appointed auditors.

The audits will be conducted in modules, with each assessing a specific set of compliance issues. Many covered entities will be selected for audit on one module, although combinations of modules will be possible. This will be determined by the size and type of organization.

The first round of audits will be desk-based and will consist of a document check. They will be conducted on healthcare providers, health plans, and healthcare clearinghouses. These will be followed by audits on business associates, with a round of full compliance audits to follow.

Covered entities have now been contacted via email as part of a contact information check, and short questionnaires will soon be sent to assess suitability for audit. Once those responses have been received, OCR will select a sample of organizations for audit. The chosen organizations will be notified of selection in May, while business associates will receive their notifications in June and July.

The audits will take place in the second half of the year and will be completed by December, with the full compliance audits expected to commence early in the New Year.

OCR had previously indicated the phase 2 HIPAA audit protocol would be open for a commenting period. While comments are now being accepted via email, there is no actual comment period. The phase 2 HIPAA audit protocol is final and will be used in the upcoming audits.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of