OCR’s Highly Anticipated Phase 2 HIPAA Audits: Ready or Not!

As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) recently announced the launch of its Phase 2 HIPAA audits.  Certain Covered Entities (CEs) and Business Associates (BAs) have already begun receiving emails from OCR seeking audit contact information.  In a recent press release, OCR noted that audits are an important compliance tool that supplements their other enforcement tools, such as complaint investigations and compliance reviews.

The Phase 2 Audit Program is aimed at reviewing policies and procedures of selected CEs and BAs to evaluate HIPAA compliance, identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).

According to the OCR, the Phase 2 Audit Program will be a three-step audit process. The first set of audits will be desk audits of CEs followed by a second round of desk audits of BAs. All desk audits will be completed by the end of December 2016.  Finally, a third set of 24 comprehensive, on-site audits will be conducted.  Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.

While OCR’s audit protocol has not been finalized, the agency has identified the following areas of focus:

  • Privacy Rule Compliance — how CEs are meeting Privacy Rule requirements for notices of privacy practices and how CEs are handling patient’s right to access PHI;
  • Security Rule Compliance — implementation of policies and procedures for a risk assessment of the safeguards protecting systems that handle e-PHI, as well as the organization’s mitigation plan to address gaps identified through the risk assessment; and
  • Breach Notification Rule Compliance — whether the CE is aware that an unauthorized use or disclosure of PHI is reportable under the Breach Notification Rule, as well as processes for making required notifications if a breach occurs

Once finalized, updated audit protocols will be posted on the OCR website and can be used as a tool by organizations to conduct internal self-audits as part of their ongoing HIPAA compliance activities.

OCR’s audits are intended to enhance industry awareness of compliance obligations and enable OCR to better target areas requiring technical assistance to aid in such compliance. Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in breach prevention.   OCR states that they will evaluate the results and procedures used in the Phase 2 audits to develop the formal permanent audit program mandated by the HITECH Act.

To prepare for the Phase 2 audits and information requests, Woods Rogers and Healthcare Compliance Resources recommend that CEs and BAs do the following:

  • CEs should prepare a list of their BAs so they can readily provide this information to OCR upon request. They should ensure that all BA Agreements are current and in compliance with the changes brought about by the Omnibus Rule of 2013;
  • Add the OCR email address, OSOCRAudit@hhs.gov, to their “safe list” and regularly check their spam and junk mail folders for emails from OCR;
  • Make sure that all HIPAA Privacy, Security and Breach Notification policies are up-to-date and readily accessible as OCR expects requested information to be submitted within 10 business days; and,
  • Periodically check the OCR website for the updated Phase 2 audit protocols as this will be a great tool to use to conduct internal self-audits as part of the organization’s ongoing compliance program.


The potential for violations of the HIPAA Privacy and Security Rules is an ever-present risk that continues to grow as the use of technology and government enforcement increases. The time to evaluate and assess your regulatory compliance is now – don’t wait for an OCR audit. The Health Care Group at Woods Rogers, PLC and Healthcare Compliance Resources are ready to assist you with developing, reviewing and updating HIPAA policies and procedures; improving HIPAA compliance; and responding to OCR during an audit, compliance review or investigation.  Healthcare Compliance Resources, an affiliate of Woods Rogers Consulting, stands ready to conduct Security Rule Risk Assessments and evaluate your current HIPAA compliance status for OCR’s Phase 2 audits.

Brought to you by

portrait of Stephen A. Burt

Steve Burt
Healthcare Compliance Resources

portrait of Heman Marshall

Heman A. Marshall Principal, Woods Rogers PLC