HIPAA Privacy and Security Audits: OCR Phase 2


The Department of Health and Human Services (HHS) has launched its second phase of HIPAA Privacy and Security Audits. The Audit Program was launched following the passage of HITECH (Health Information Technology for Economic and Clinical Health Act), which required HHS to perform periodic audits of covered entities and business associates to ensure compliance with the HIPAA Privacy and Security Rules, as well as with HITECH’s breach notification standards. The scope of this national audit includes covered entities and business associates of various industries and sizes.

The HIPAA Standards define “covered entities” as follows:

  • Health plans, including individual health plans, employer-sponsored group health plans, health insurers and health maintenance organizations;
  • Health care clearinghouses that process and reformat health information; and
  • Health care providers that transmit protected health information (PHI) electronically in financial or administrative transactions covered by HIPAA’s administrative requirements.

OCR completed a pilot program in 2012, which was considered Phase 1 of the audit program. OCR reviewed the privacy and security compliance documentation of these covered entities, conducted site visits, and provided draft and final audit reports.

Purpose of the OCR Audit – Phase 2

OCR has indicated that the purpose of the audit is to assess overall compliance with the HIPAA Privacy and Security Rules, as well as with the HITECH breach notification requirements. This includes identifying industry best practices, along with risks and vulnerabilities not detected through current enforcement activities. It will use the results of these audits to develop tools and guidance to assist the industry with compliance self-evaluation and prevention of breaches of unsecured protected health information (PHI).

Audit Selection and Notification

OCR has randomly selected a pool of covered entities and business associates, and emails have been sent to the potential auditee with a pre-screening questionnaire to collect demographic and business associate information. This information will be used to select targets on which to perform desk audits, which it intends to complete by the end of 2016 or early 2017. OCR will be sending its communications via email from OSOCRAudit@hhs.gov, which may be routed to an Entity’s spam folder. It is suggested that Entities check spam folders to ensure that communications are not missed.

Audit Documentation Requirements

Covered entities and business associates will have approximately 10 days to respond to the audit request. OCR will issue two separate document requests via email: one for policies and procedures (and related documentation), and another for a list of business associates. Auditees must submit requested documentation to OCR’s online portal (a link will be included in the email request).

Audit Process – Stages and Timing

The phase 2 audits will take place in the following three stages:

Stage 1

Desk audits of covered entities – OCR is currently conducting desk audits of covered entities with desk audits of business associates scheduled to begin in late September. OCR expects to complete its desk audits by the end of December 2016, with on-site audits beginning in early 2017.

Stage 2

Desk audits of business associates – These desk audits will focus specifically on the auditee’s compliance with the Privacy, Security, and Breach Notification requirements.

Stage 3

OCR will conduct on-site audits lasting 3–5 days, during which it will review a more comprehensive set of HIPAA requirements. Both desk and on-site audits will culminate in a draft report from OCR, to which the auditee has 10 business days to issue a written response. OCR will issue a final report outlining its findings within 30 business days of receipt of the auditee’s response to the draft report.

On-Site Audits

On-site audits will focus more on comprehensive review of HIPAA compliance controls while the desk audits for covered entities are focusing on seven controls drawn from the Security Rule, the Privacy Rule, and the Breach Notification Rule:

Privacy Rule Controls:

1. Notice of Privacy Practices and Content Requirements
2. Provision of Notice – Electronic Notice
3. Right to Access [protected health information]

Breach Notification Rule Controls:

4. Timeliness of Breach Notification
5. Content of Breach Notification

Security Rule Controls:

6. Security Management Process – Risk Analysis
7. Security Management Process – Risk Management


The audit protocol highlights areas that all covered entities and business associates should pay attention to in order to avoid potential breaches or other incidents that may invite enforcement action. It is important that all entities responsible for compliance with HIPAA prepare for a potential audit. Entities should review current compliance efforts, including ensuring that they, to the extent applicable:

  1. have policies and procedures in place, including breach notification procedures;
  2. have a current Notice of Privacy Practices;
  3. have conducted a risk analysis and inventory of PHI;
  4. have appropriate Business Associate Agreements in place;
  5. have designated Privacy and Security Officials; and
  6. have conducted privacy and security training for relevant employees.

You may find additional information about Phase 2 Audits on the OCR’s website, including sample email notification letters, a copy of the audit protocol, sample templates for identifying business associates, Q&As, and a copy of the pre-screening questionnaire. OCR’s Audit Program website may be found here.

While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting or other professional advice or services. Readers should always seek professional advice before entering into any commitments.

Leave a Reply

Your email address will not be published. Required fields are marked *