Published on:

OCR Announces Start of HIPAA Audit Program Phase 2

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced that it will be initiating Phase 2 of the compliance audits mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH). The first phase of audits was carried out in 2011 and 2012, and targeted covered entities. While Phase 2 will expand the targeted entities to include business associates, it will utilize information gathered during Phase 1 to narrow the scope of audits in order to review the areas of greatest risk to protected health information (PHI).

Following Phase 1, OCR’s findings noted that, generally, the smaller the covered entity, the more compliance issues it had with all 3 Health Insurance Portability and Accountability Act (HIPAA) Standards: privacy, security, and electronic transactions. Furthermore, OCR observed that over 60% of the violations related to security standards. Additionally, nearly 40% of the findings related to privacy standards occurred simply due to lack of knowledge regarding the privacy standards.

Applying this information, OCR will narrow the focus of their compliance audits in Phase 2. The audits will occur between October 2014 and June 2015, and will address:

  • Security risk analysis and management;
  • Breach content and effectiveness of notifications;
  • Privacy notices and access to records; and
  • Proper safeguards and adequate training.

Phase 2 will begin with a random selection of 550-800 covered entities, chosen through America’s Health Insurance Plans’ databases of health plans, as well as the National Provider Identifier database. All covered entities that are randomly selected will be sent a link to an online pre-survey. OCR will use the pre-survey results to narrow-down the covered entities to 350 entities who will then be notified and sent data requests this fall. OCR will choose the business associates for Phase 2 from these data requests. 150 of the covered entities and 50 of the business associates will be audited for security standards compliance. Further, 100 of the 350 covered entities will be audited for compliance with breach notification standards and privacy standards.

Once the covered entities and business associates are chosen, they will receive audit requests and have two weeks to respond. The requests will include a list of all the files needed, but OCR may request additional information at a later date. Audited entities are advised to respond to OCR in a timely fashion because failure to do so could lead to a more scrutinized compliance review by the OCR Regional Office. Once an audit is completed, OCR will provide a draft report and allow management to comment. OCR will take the comments into account before issuing a final report.

Because covered entities and business associates are chosen at random, these entities should prepare for a potential Phase 2 compliance audit. Recommended steps include:

  • Undergoing a risk assessment to highlight any vulnerabilities;
  • Compiling a list of all business associates to fulfill date request;
  • Confirming that all employees are up to date on their HIPAA Standards training;
  • Checking that the entity is implementing all security, privacy, and breach standards and documentation is provided in the event that certain measures were not enacted.


OCR’s website
will provide the Phase 2 Audit protocol for entities looking to prepare for a potential compliance audit. For more comprehensive preparation, covered entities and business associates can contact Wachler & Associates, P.C. Since the enactment of the HIPAA Privacy and Security Rules, Wachler & Associates has counseled healthcare entities in HIPAA compliance matters, which includes updating security policies and procedures, and ensuring employees undergo vital HIPAA compliance training. If you have any questions or require assistance developing a HIPAA compliance plan for your entity, please contact an experienced healthcare attorney at 248-544-0888 or contact us here.