OCR announces start of Phase 2 HIPAA Audit Program



March 22, 2016

HIPAA Alert

Author(s): Valerie Breslin Montague, Laurie T. Cohen

Office for Civil Rights (OCR) will audit covered entities and business associates of all types and sizes across the country to assess compliance with HIPAA privacy, security and breach notification rules.

On March 21, 2016, the Office for Civil Rights (OCR) announced the start of its long-awaited HIPAA Audit Program, which is required by the HITECH Act. Building upon the audits of covered entities conducted in 2011 and 2012, Phase 2 of the HIPAA Audit Program will include audits of both covered entities and business associates.

OCR has stated that it intends to audit more than 200 health plans, health care providers, health care clearinghouses and business associates of all sizes and types, across a range of geographic locations. Under the program announced this week, OCR will not, however, audit organizations with open HIPAA complaint investigations or those that are the subject of an OCR compliance review.

OCR has begun to e-mail covered entities and business associates[1] to verify address and contact information, which will be followed by a pre-audit questionnaire. This questionnaire will inquire as to the size of the entity, the type of services it performs and its operations. Notably, this pre-audit screening questionnaire asks covered entities to identify their business associates. OCR cautions that entities that do not respond to the e-mail request for information verification still may be chosen as audit subjects.

In the Phase 2 program, OCR primarily will conduct desk audits followed by a lesser number of onsite audits. OCR will begin with desk audits of covered entities, followed by desk audits of business associates. Auditees will be notified by letter, which will include an initial document request. An entity will be given 10 business days to upload responsive information on OCR’s secure portal. OCR’s auditors will share draft audit findings with each respective entity and provide each entity with 10 business days to respond to the findings. OCR will prepare a final report within 30 business days of the auditee’s response. Auditees’ responses will be included in OCR’s final audit reports.

OCR anticipates that the desk audits will be completed by the end of 2016. OCR also has indicated that, for those entities who are subsequently selected for an onsite audit, such audits may span over three to five days based on the size of the auditee. These audits will be more comprehensive and cover more HIPAA regulatory requirements. Similar to desk audits, onsite auditees will have 10 business days to review and respond to draft audit findings and OCR will complete its report within 30 days following the auditee’s response.

OCR has indicated that it intends to use information derived from the Phase 2 audits to identify best practices and promulgate additional guidance to address compliance challenges. If a serious HIPAA compliance issue is identified in an audit, OCR may commence a compliance review of the organization, which could lead to fines and the imposition of a corrective action plan (CAP).

OCR has committed to posting updated audit protocols on its website prior to the commencement of the Phase 2 audits. Organizations that are not selected for an audit also would benefit from reviewing these protocols, as they likely will provide a road map of the items OCR will analyze should an organization be investigated following a HIPAA breach or complaint. Prior to the release of the updated Phase 2 audit protocols, covered entities and business associates can review the Phase 1 protocols here. While these protocols do not address the HIPAA Breach Notification Rule or the other regulations promulgated in the 2013 Omnibus Final Rule, they serve as a starting point for covered entities and business associates to assess their HIPAA compliance. In addition, the enforcement actions taken by OCR and the related CAPs are very insightful and provide additional guidance to covered entities and business associates.

For example, auditees (as well as those otherwise investigated by OCR) can expect questions regarding the entity’s security risk assessment and its efforts to address or mitigate identified risks. To the extent OCR is contemplating a requirement for data encryption in its next update to the Security Rule, OCR also may ask whether covered entities and business associates encrypt data in transit and at rest. In addition, now that business associates will be auditees, covered entities should expect inquiries surrounding their use of business associates and policies and procedures covering such arrangements.

Given the short response deadline following notification from OCR that an entity will be audited, covered entities and business associates that receive the contact information verification letter and pre-audit questionnaire from OCR should ensure that the entity’s privacy officer and security officer coordinate with IT staff and legal counsel to centralize HIPAA policies, procedures and other documentation. Covered entities and business associates should reach out to management and compliance personnel to ensure that such individuals are watching for OCR correspondence in order to take full advantage of the organization’s response period.


  1. OCR recommends that covered entities and business associates check their e-mail spam and junk folders in case OCR’s e-mail is improperly classified in one of these folders.
    [Back to reference]

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top