OCR Launches Phase 2 of HIPAA Audits


Five suggested steps healthcare organizations and their contractors should take to prepare.

On March 21, the Office of Civil Rights (OCR) of the Department of Health and Human Services launched Phase 2 of the HIPAA Audit Program. The audits are intended to determine if healthcare organizations and their contactors are complying with the Health Insurance Portability and Accountability Act’s (HIPAA’s) Privacy, Security, and Breach Notification Rules. According to OCR, the audits are also intended to help it get out in front of potential problems and better direct its guidance to address issues currently affecting the confidentiality and security of protected health information (PHI).

Why Audits?

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) requires OCR to periodically audit covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012, which focused solely on covered entities. After many delays, OCR is now proceeding with Phase 2 audits, which will include both covered entities and business associates.

When Will the Audits Occur?

Phase 2 will consist of approximately 200 desk and on-site audits. Desk audits, which focus on document review, will make up the majority of the audits and will consist of two rounds. The first round of desk audits will center on covered entities, and the second round will focus on business associates. The desk audits are expected to be completed by December 2016. The third round of audits will be on-site and will begin later in the year. An entity that is subject to a desk audit may also have to undergo an on-site audit.

How Will the Audits Work?

OCR is sending emails to select covered entities and business associates asking them to verify their contact information. These entities will then receive a “pre-audit questionnaire” that requests details about their business size, type, and operations. From there, OCR will create a pool of audit targets that represents a wide range of covered entities and business associates in terms of size, sectors, and geographic location.

Entities selected for a desk audit will be notified by email and will be asked to provide documents and other data. The desk audits will focus on compliance with particular provisions of the HIPAA Privacy, Security, and Breach Notification Rules, such as risk analyses, notices of privacy practices, and response to requests for access to PHI. Audit subjects will have 10 business days to submit the requested information to OCR through an audit-specific portal on OCR’s website. OCR will then review the documentation and develop draft findings. Auditors will share their findings with the audited entities, allowing them 10 business days to respond. The written responses will be included in the final audit report, which also will be shared with the audited entity.

Similarly, entities will be notified by email of their selection for an on-site audit. On-site audits will be conducted over three to five days (depending on the size of the entity) and will be more comprehensive and have a broader focus on HIPAA requirements. Like the desk audit, entities will have 10 business days to review the draft findings and provide written comments to the auditor. OCR will share a copy of the final report with the audited entity.

Audits that uncover serious issues may trigger an OCR compliance review in addition to the audit.

OCR will not post a list of audited entities or the findings of an individual audit that clearly identifies the audited entity. However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits in response to a FOIA request.

What Can Be Done Now To Prepare?

OCR stated that it will post protocols for the Phase 2 audits on its website soon. In the interim, covered entities and business associates should strongly consider taking the following steps now to make sure they are prepared if selected for a Phase 2 audit:

Even if a covered entity or business associate is not selected for a Phase 2 audit, the exercise of preparing for one can be helpful in reducing HIPAA compliance risk and preparing the organization in the event of an OCR investigation.


Copyright © 2025 by Morgan, Lewis & Bockius LLP. All Rights Reserved.
National Law Review, Volume VI, Number 84