Second phase of HIPAA audits shifts into high gear

The long-awaited second phase of the HIPAA audit program of the HHS Office for Civil Rights is now in full swing. According to OCR, some covered entities have received notification letters regarding their inclusion in the desk audit portion of the program.

OCR announced that letters were delivered on July 11 via email to 167 health plans, healthcare providers and clearinghouses. The agency said that desk audits will examine the selected covered entities’ HIPAA compliance.

“These entities have 10 business days, until July 22, 2016, to respond to the document requests,” OCR said in the announcement. “Desk audits of business associates will follow this fall.”

Phase 2 of OCR’s audit program is primarily focused on desk audits of policies and procedures, compared with Phase 1. OCR hopes this approach will enable the agency to be more effective in audits with fewer resources than would be required to support full onsite audits for all organizations.


“The desk audits are focused examinations of documentation of entity compliance with certain requirements of the HIPAA rules,” according to the announcement. “OCR selected these provisions for focus during the desk audits because our pilot audits, as well as our enforcement activities, have surfaced these provisions as frequent areas of noncompliance.”

Those HIPAA requirements selected for desk audit review include:

  • Privacy Rule—Notice of Privacy Practices and Content Requirements, Provision of Notice–Electronic Notice, and Right to Access.
  • Breach Notification Rule—Timeliness of Notification, and Content of Notification.
  • Security Rule—Security Management Process (Risk Analysis), and Security Management Process (Risk Management).

Daniel Gottlieb, a healthcare law attorney and partner at McDermott Will & Emery, contends that the Phase 2 audit program is placing more attention on areas of greater risk to the security of protected health information and on pervasive non-compliance, based on OCR’s Phase I audit findings and observations, rather than a comprehensive review of all of the HIPAA standards.

“In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties,” said Gottlieb. “OCR’s announcement that it has launched the Phase 2 HIPAA audit program is not surprising in light of recent criticism of OCR’s HIPAA enforcement efforts by the Office of Inspector General and following the numerous cyber attacks on the healthcare industry.”

Gottlieb recommends several steps that covered entities and business associates should take to ensure that they are prepared for a potential Phase 2 audit, including:

  • Confirming that the organization has recently completed a comprehensive assessment of potential security risks and vulnerabilities to the organization, in other words, conduct a risk assessment.
  • Confirming that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion
  • Ensuring that the organization has implemented a breach notification policy that accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards.
  • Confirming that all systems and software that transmit electronic PHI employ encryption technology or that the organization has a documented risk analysis supporting the decision not to employ encryption.

In Phase 2 of the audit program, covered entities will be reviewed for HIPAA compliance, regardless of whether a complaint has been filed against them. When it comes to business associates, Phase 2 is the first time that OCR’s audit program will be directly looking at business associates.

For reprint and licensing requests for this article, click here.