Phase 2 HIPAA Compliance Audits Underway, says OCR

Phase 2 of the HIPAA compliance audits is now underway, according to a recent announcement issued by the Department of Health and Human Services’ Office for Civil Rights (OCR).

The audits are being conducted to assess compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The OCR explains that audits are an important tool that enable the OCR to assess whether organizations are implementing the necessary safeguards to keep ePHI secure and whether they are effectively protecting patient privacy.

The compliance audits help the OCR to develop new guidance to covered entities to assist them with their compliance efforts and to identify best practices that can be adopted to address security vulnerabilities and keep ePHI secure.

The first round of HIPAA compliance audits took place in late 2011 / early 2012. The second phase of the audit program has been much delayed; however, the OCR has confirmed that the process is now underway and that the audits will be taking place this year.

Phase 2 of the HIPAA compliance audits will primarily consist of “desk audits” of covered entities and their business associates. The first phase of audits covered many aspects of HIPAA, but the second phase will be much narrower in scope.

The audits will assess compliance with the Privacy Rule, Security Rule, and Breach Notification Rule. While the majority of audits will be desk-based, the OCR will also be conducting full compliance reviews of certain covered entities. Those HIPAA compliance reviews will involve site visits. The desk based audits will consist of document checks.

The OCR will start the audit process by verifying covered entities’ contact information. Emails will be sent to all covered entities requesting verification of addresses and contact details. Covered entities will be required to respond to the email in a timely manner. Once the responses have been received and the OCR’s contact database has been updated, pre-screening questionnaires will be sent to covered entities to assess their suitability for an audit.

The OCR will require information about the size and type of the covered entity and the type of healthcare operations performed. The OCR will use these data to form a pool of covered entities. A geographically representative sample of covered entities of all types and sizes will then be taken from the pool and will be notified that they have been selected for an audit or compliance review.

The OCR will shortly publish an updated audit protocol on its website to advise covered entities of the aspects of HIPAA that will be assessed in the audits. The audit protocol will incorporate the changes that were introduced in the HIPAA Omnibus Rule. The OCR has suggested the audit protocol can be used by covered entities to perform internal compliance reviews ahead of the second phase of HIPAA audits.

The results of individual compliance audits will not be published and made available to the public, but the OCR has warned that it is obliged to adhere to the Freedom of Information Act (FOIA) and may be required to disclose which organizations have been selected for audit.

The OCR said in its recent announcement that “[The] audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of