HHS/OCR – Phase 2 HIPAA Audits underway

If you are healthcare provider or payer or a business associate, service provide handling PHI, you may have heard about or received notice from the Office of Civil Rights, Department of Health & Human Services. There is fair bit of information available in HHS website, we wanted to summarize the audit purpose and highlights in the blog.

Here is a quick brief on the audit and what it entails

History – HIPAA audit program were included in the HITECH after years of appeals to the OCR to be more proactive in monitoring organizations for HIPAA compliance, rather than just responding after a breach. The phase 1 of the program was a pilot program conducted in 2012 through a paid contractor. The phase 2 of the program was in works for sometime and finally launched in 2016. As of July 2016, 167 select covered entities were notified for potential desk audits

Desk Audits – Requests are sent to the selected entities for HIPAA related information and they have about 10 days to respond back and submit the required documentation. HHS auditors will review and submit additional requests and the selected entity will have an opportunity to respond back.

According to HHS, there might be more audits, so organizations should be prepared with audit procedure. Part of the goal from HHS is to take a closer look at organizational HIPAA compliance policies, internal controls and assess the risk to PHI data across various systems. Specific focus is on

  • Notice of Privacy Practices.- Review that organizations are including privacy notices in their websites for the patients to review
  • Written HIPAA policies and procedures – Assessment of organization’s HIPAA policies and procedures
  • Risk assessment – Review of how organizations are assessing risk to PHI data and implementing appropriate security measures to address any identified risks.
  • Breach Procedures-  Review of how organizations are implementing notification policies and procedures for breaches of unprotected PHI.

Here are some of the steps recommended by experts to be prepared for such audits

  1. Create an inventory of HIPAA policies and procedure, and document how it is implemented in your organization
  2. Identify risks early enough and initiate controls, measures to mitigate perceived risks
  3. Compile a list of business associates with access to PHI, check if the business associate agreements are in place
  4. Document all systems and applications where PHI is stored or could be potentially stored


HHS HIPAA audit phase 2 will not affect everyone. Phase 2 of the HHS OCR audit relies on documentation, not on onsite audits. But it is a trend towards future audits including phase 3 where regulators would be more stringent in their review and penalties could increase to a even higher amount. Providers and payers should be proactive and be prepared for such audits by implementing a strong privacy program and ensuring every part of the organizational business is covered by the program. Being proactive will help organizational build trust with their patients/consumers and increase engagement, it is just a good business sense.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.