Healthcare Law Alert – OCR Phase 2 HIPAA Audits Begin

The Office for Civil Rights (OCR), the agency of the Department of Health and Human Services charged with enforcement of the Health Insurance Portability and Accountability Act (HIPAA), has started Phase 2 of its Audit Program.  HIPAA Covered Entities selected to undergo an audit should have received notification letters via e-mail on Monday July 11, 2016 if they were selected for an initial desk audit.  Because these notifications were sent via e-mail, your organization’s Privacy Officer or HIPAA contact should review his/her inbox and spam folder to be certain that the initial notification is not overlooked. Covered Entities selected for a desk audit must submit the information requested by OCR within 10 business days of the request.

OCR’s Phase 2 Audits will involve a review of Covered Entities and Business Associates, though OCR’s review of Business Associates will not commence until the fall.  Organizations selected for an audit can expect a desk audit, which will entail a review of their policies and procedures developed to meet the requirements of HIPAA’s Privacy, Security and Breach Notification Rules. Once selected for a desk audit, an entity could later be reviewed through an on-site audit by OCR.

OCR explained that it will likely perform 200 desk audits and 10-25 on-site audits of Covered Entities.  OCR has not commented on how many Business Associates it expects to audit, but it has said it will select entities based on an organization’s relationship with other healthcare organizations, private or public status and geographic factors.  In addition to enforcement of HIPAA’s requirements, OCR also intends to use Phase 2 Audits to determine the technical guidance it should develop to assist in preventing security breaches involving Protected Health Information.

OCR’s notification letter should detail those documents and any additional data OCR deems appropriate for the desk audit.  For additional information, visit OCR’s website:


Visit our Healthcare Practice Area to learn more about the legal services we can provide in this area. If you have any questions or would like more information on the issues discussed in this communication, please contact any member of our Healthcare Practice Area.

This communication is for informational purposes and is not intended as legal advice.