OCR Announces Phase 2 HIPAA Audit Program

OCR Announces Phase 2 HIPAA Audit Program


Earlier this week, the Health and Human Services Office for Civil Rights (OCR) announced the start of the 2016 Phase 2 HIPAA Audit Program, by which the OCR will review the policies and procedures adopted and employed by covered entities and their business associates to comply with the applicable requirements of the HIPAA Privacy, Security and Breach Notification Rules. Although Phase 1 (conducted in 2011 and 2012) focused exclusively on covered entities, the new round of audits will include business associates in addition to covered entities, and is expected to include a wide range of healthcare providers, health plans, healthcare clearinghouses and business associates across the healthcare spectrum - factoring in size, types and operations of potential auditees.

These audits will primarily be desk audits (whereby audited entities will be required to submit requested documents online via a new secure audit portal on the OCR’s website), although some on-site audits will be conducted. And, although the OCR has indicated that it intends to use these audits primarily to aid the OCR in providing education and guidance to the industry, OCR has made clear that, should an audit report indicate a “serious compliance issue,” OCR may initiate a compliance review or investigation, which could lead to monetary penalties or corrective action.

To prepare your organization for a potential Phase 2 audit, we recommend the following steps:

Top of Page