Phase 2 of HIPAA Audits Is Underway – Covered Entities and Business Associates Beware

Akerman LLP - Health Law Rx

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) recently announced that it has started obtaining and verifying entity contact information to identify covered entities and business associates for potential audit subject pools for the 2016 Phase 2 HIPAA Audit Program. In Phase 2, OCR will review the policies and procedures adopted and employed by covered entities and their business associates, to comply with the HIPAA Privacy, Security and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will occur.

OCR has started sending emails to entities requesting the verification of contact information and providing pre-audit questionnaires. Because the emails may end up incorrectly classified as spam mail, OCR has advised entities to check their junk and spam email folders for emails from OCR at the following email address ( If an organization fails to respond to an information request, OCR will use publicly available information about the entity to create the audit pool.  According to OCR, an entity that does not respond to the address verification or pre-screening questionnaire may still be selected for an audit or be subject to a compliance review.  All desk audits for Phase 2, including those of business associates, are supposed to be completed by the end of December 2016. OCR says that it will post updated audit protocols on its website as it gets closer to conducting the 2016 audits. Entities that have been selected for audit will have 10 business days from the date of the information request to provide the requested documentation.  Once OCR provides draft findings, audit subjects will have 10 business days to review and provide written comments. The auditor will prepare a final report within 30 business days after receiving the audit subject’s response.

To prepare for the Phase 2 audits and information requests, covered entities and business associates should do the following:

  • Covered entities should prepare a list of their business associates so they can readily provide this information to OCR upon request.
  • Add the OCR email address,, to their “safe list” and regularly check their spam and junk mail folders for emails from OCR.
  • Make sure that their HIPAA Privacy, Security and Breach Notification policies are up-to-date and readily accessible due to the short (10 business days) response time.
  • Periodically check the OCR website for the Phase 2 audit protocol.
  • Use the Phase 2 audit protocol as a tool to conduct internal self-audits as part of the organization’s ongoing compliance program.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akerman LLP - Health Law Rx | Attorney Advertising

Written by:

Akerman LLP - Health Law Rx

Akerman LLP - Health Law Rx on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.