OCR Update: HIPAA Phase 2 Audit Notices—Responses Due July 22, 2016

Arnall Golden Gregory LLP

On July 11, 2016, e-mail notification was sent to 167 covered entities alerting them of their inclusion in the desk audit portion of OCR’s 2016 HIPAA audit program. Selected covered entities must respond no later than July 22, 2016. In a second wave, desk audits of business associates will occur this fall.

OCR recommends that all covered entities check their spam filters and junk mail folders for emails from OSOCRAudit@hhs.gov. OCR sent two e-mails to those selected, so covered entities included in the desk audits should locate and carefully review both e-mails. The e-mails include documentation requests (including a request for a complete list of the covered entity’s business associates), instructions for responding, and a link to use in submitting the requested documents, as well as information about an upcoming OCR webinar to explain the audit process.

OCR’s desk audits will examine the selected covered entities’ compliance with the HIPAA Privacy, Breach Notification, and Security Rules, with a specific focus on the following:

  • Privacy Rule:
    • Notice of Privacy Practices & Content Requirements [§164.520(a)(1) & (b)(1)]
    • Provision of Notice – Electronic Notice [§164.520(c)(3)]
    • Right to Access [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
  • Breach Notification Rule:
    • Timeliness of Notification [§164.404(b)]
    • Content of Notification [§164.404(c)(1)]
  • Security Rule:
    • Security Management Process -- Risk Analysis [§164.308(a)(1)(ii)(A)]
    • Security Management Process -- Risk Management [§164.308(a)(1)(ii)(B)]

Because of the very short time frame allowed for response and the recent increase in OCR HIPAA-related enforcement and penalties, selected covered entities should prioritize responding.

For more information, see: 

To review the entire document and formatting for this alert (e.g., footnotes), please access the original below:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Arnall Golden Gregory LLP | Attorney Advertising

Written by:

Arnall Golden Gregory LLP

Arnall Golden Gregory LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.