The HIPAA Audit Program and you

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun it’s next phase of audits to confirm that organizations are in line with HIPAA protocol. The 2016 Phase 2 HIPAA Audit Program is looking to strengthen it’s Health Insurance Portability and Accountability Act (HIPAA) enforcement efforts by being more proactive.

For 2016’s Fiscal Year, the budget for OCR’s office increased by $4 million over the year before in anticipation of these audits. They will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards (laid out in Phase 1) and implementation specifications of the Privacy, Security, and Breach Notification Rules.

These audits were mandated by the HITECH Act to conduct periodic random audits to assess entity compliance with HIPAA. These will primarily be desk audits, but some on-site audits can occur. This could be anything from a drop in one-hour audit to a multi-day operational audit.

Let’s look back:

Before phase 2 (the audits) began, they started with phase 1:

“HIPAA established important national standards for the privacy and security of protected health information and the Health Information Technology for Economic and Clinical Health Act (HITECH) established breach notification requirements to provide greater transparency for individuals whose information may be at risk. HITECH requires the HHS Office for Civil Rights (OCR) to conduct periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. In 2011 and 2012, OCR implemented a pilot audit program to assess the controls and processes implemented by 115 covered entities to comply with HIPAA’s requirements.  OCR also conducted an extensive evaluation of the effectiveness of the pilot program.  Drawing on that experience and the results of the evaluation, OCR is implementing phase two of the program, which will audit both covered entities and business associates. As part of this program, OCR is developing enhanced protocols (sets of instructions) to be used in the next round of audits and pursuing a new strategy to test the efficacy of desk audits in evaluating the compliance efforts of the HIPAA regulated industry. Feedback regarding the protocol can be submitted to OCR at” –

Going Forward:

Now that there is national standards in place, and audit protocol they are starting Phase 2. If you are in line to be audited, you will receive an email from the HHS that will look similar to this:


Who’s going to be audited? Any covered entity or business associate is eligible for these audits.  OCR is identifying pools of covered entities and associated that represent a range of healthcare providers, health plans, and clearing houses. They’ll be looking at a broad range of audit candidates to get a better assessment of HIPAA compliance across the industry.

OCR will be conducting desk and onsite audits for covered entities (both individuals and organizations). The first set of audits, in process now, will be desk audits to examine compliance with specific privacy compliance. All auditees will be notified by a request letter and all desk audits will be completed by December 2016. If you are subjected to a desk audit, that does not mean you will not receive an on-site audit.

The next set of audits will be onsite and will examine a broader scope of requirements from the HIPAA Rules than desk audits. Some desk auditees may be subject to a subsequent onsite audit. Auditees may be asked to supply the OCR with documents before the scheduled audit in response to the notification letter. The OCR plans to have fewers in person audits than previously.

If you receive an information request, but do not respond: OCR will use publicly available information about the entity to create it’s audit pool. A non-responsive entity can still be selected to be audited by the OCR.

Once notified of audit, you will have 10 days to respond with requested documentation, from there you may be audited sometime within a 30 day window. These audits are in place to improve compliance with HIPAA protections and to benefit individuals. It is not meant to be scary. But, the word audit is an inevitably scary word. It’s just

How does this effect you?

Preparation is key. Being prepared for these audits will eliminate fear and risk to you and your organization. If you’re up to date on the Audit Protocol as posted by the HHS you won’t be sorry. The general audit types are three fold: Privacy, Security, and Breach.

  • Privacy Rule requirements:
    • notice of privacy practices for PHI (protected health information)
    • rights to request privacy protection for PHI
    • access of individuals to PHI
    • administrative requirements
    • uses and disclosures of PHI
    • amendment of PHI
    • accounting of disclosures
  • Security Rule requirements
    • administrative
    • physical
    • tech safeguards
  • Breach Notification Rule


Comments are closed, but trackbacks and pingbacks are open.