mcn healthcare logo

HHS Office of Civil Rights Launches Phase 2 of HIPAA Audit Program

HHS Office of Civil Rights Launches Phase 2 of HIPAA Audit Program

The HHS Office for Civil Rights has announced the commencement of the next phase of audits of covered entities and their business associates to determine compliance with the HIPAA Privacy, Security and Breach Notification Rules.  According to OCR, audits are an important compliance tool that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.  These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).

In its 2016 Phase 2 HIPAA Privacy, Security and Breach Notification Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.

The 2016 audit process begins with verification of an entity’s address and contact information.  An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner.  OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool.  Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.  Communications from OCR will be sent via email and may be incorrectly classified as spam.  If your entity’s spam filtering and virus protection are automatically enabled, OCR expects entities to check their junk or spam email folder for emails from OCR.

Once OCR releases the detailed audit protocol, StayAlert! will publish additional notices and example policies that address specific areas being audited.  However, covered entities should have in place a complete set of HIPAA policies that address all aspects of the HIPAA Rule.  See MCN Healthcare’s HIPAA Guidelines Policy and Procedure Manual for more resources.


Never again miss an important regulatory change or hot topic in health care with StayAlert! Our experienced team monitors federal regulatory agencies and accreditation organizations. We send you daily emails that summarize changes and include tools to aid compliance.  Sign-up for a FREE StayAlert! Trial


Regulatory Compliance Solutions for Healthcare Organizations,
Including Policy Management Software, Policy Library Templates,
StayAlert! – Regulatory Alert System, and Learning Management System




We are expanding our team! Click here for more information.

Got it!