As a part of its continued efforts to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the Health and Human Services (HHS) Office for Civil Rights (OCR) has begun its next phase of audits of covered entities (i.e., health care providers, health care clearinghouses, and health plans) and their business associates. These audits enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI). During this second phase, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet the Privacy, Security, and Breach Notification Rules. HHS has stated that these audits will primarily be desk audits, although some on-site audits will be conducted. Generally, the audit will be initiated via an email sent to a covered entity or business associate requesting that contact information be provided to OCR in a timely manner. OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of the covered entity or business associate. Because entities will be contacted via email, OCR states that entities should check their junk or spam email folder for emails from OCR. Also, OCR has posted on its website an extensive audit protocol checklist to encourage entities to conduct their own internal self-audits as part of their HIPAA compliance activities. Also, because health plans (i.e., medical, dental, vision, prescription drug, health care flexible spending account plans, and certain wellness and employee assistance programs) are subject to HIPAA, employers that sponsor such plans should review their plans' policies and procedures in order to ensure compliance with HIPAA and prepare for a potential audit.