CHA News Article

Phase 2 of HIPAA Audit Program Launched

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced yesterday that it has begun its next phase of audits of hospitals and other entities subject to HIPAA. The audits will primarily be desk audits, although some on-site audits will be conducted. OCR will review the policies and procedures used by covered entities and their business associates to comply with the HIPAA Privacy, Security, and Breach Notification Rules.

The audit process begins with an email from OCR requesting contact information for a representative of the covered entity or business associate. OCR will then send a pre-audit questionnaire to gather data about the size, type and operations of potential auditees; this data will be used with other information to create potential audit subject pools. If an entity does not respond to OCR’s request for contact information or the pre-audit questionnaire, OCR will use publicly available information instead.

OCR has stated that its email communications may be incorrectly classified as spam, and advises covered entities and business associates to check their spam folder for emails from OCR if spam filtering and virus protection are automatically enabled.

OCR will post updated audit protocols on its website closer to conducting the 2016 audits. OCR’s audits will allow it to better target technical assistance for problems identified through the audits. OCR will also evaluate the results and procedures used in the phase 2 audits to develop its permanent audit program. To learn more about phase 2 audits, visit