Recently, the Department of Health and Human Services – Office for Civil Rights (“OCR”) announced the launch of Phase 2 of its audit program for the Health Insurance Portability and Accountability Act (“HIPAA”). After years in development, the program represents a new tool for OCR to use in evaluating businesses’ compliance with HIPAA’s Privacy, Security, and Breach Notification Rules. The initiative will encompass both types of organizations regulated by HIPAA: “covered entities” (certain health plans, health care clearinghouses, and health care providers); and “business associates” (certain service providers that use protected health information (“PHI”) to provide services to or for covered entities). To help organizations prepare for the upcoming audits, below is a brief set of FAQs that covered entities and business associates should consider as they work through this preparation process.

What is Phase 2 of the audit program?

The Health Information Technology for Economic and Clinical Health Act (“HITECH”), passed in 2009, modified and expanded many of HIPAA requirements for the privacy and security of PHI. In addition to other requirements, HITECH imposed the requirement that OCR establish a program to periodically audit covered entities and business associates for compliance with HIPAA’s Privacy, Security, and Breach Notification Rules. During 2011 and 2012, OCR piloted its audit process via Phase 1, reviewing 115 covered entities for compliance and evaluating the success of its review mechanisms. The upcoming Phase 2 utilizes enhanced protocols implementing lessons from Phase 1 and expands the scope of the audits to include business associates.

Who will be audited?

All covered entities and business associates are eligible for inclusion in the audit program. OCR has initiated Phase 2 by verifying the contact information of covered entities and business associates that may be included in this round of audits. After this contact information is confirmed, OCR will gather additional information relating to the size, type, and operations of potential auditees in order to ensure a broad sampling of covered entities and business associates via a prescreening questionnaire. OCR also encourages covered entities to identify their business associates during this review process. Once a pool of potential auditees is compiled, a random sampling will be selected for participation.

How will the audits be conducted?

Phase 2 will be conducted via a process whereby participants will be sent a request letter identifying specific documents and relevant information to be provided as part of the audit, which is similar to OCR’s more general investigative practices. OCR will accept these documents through a secure online portal. Generally, OCR has stated that it will focus on desk audits (i.e., audits at OCR facilities rather than on-site audits at the selected organizations) but that auditees should be prepared for on-site review as well. Following its review, OCR will present draft findings to the auditee, which will then have an opportunity to provide a written response. The audit reports will contain a description of how the audit was conducted, OCR’s findings, and auditees’ responses.

What is the goal of the audits?

Although OCR has the option to initiate a compliance review to investigate any serious compliance issues it uncovers, OCR has stated that the audits are “primarily a compliance improvement activity.” Along with enhancing industry awareness, OCR has indicated that its intention is to use the information gathered during audits to develop tools and technical guidance “to assist the industry in compliance self-evaluation and in preventing breaches.” The audit process will also help auditees identify and correct identified compliance concerns. Once completed, Phase 2 will be evaluated to allow OCR to develop its permanent audit program.  In spite of OCR’s intention to apply the audit results for wider industry-related purposes, it seems unlikely that it would disregard violations of HIPAA, particularly those that are more serious in nature. As a result, organizations, particularly those that expect to be subject to Phase 2 audits, would be well advised to make sure their HIPAA documentation is available and up-to-date. They should also carefully review their compliance with the HIPAA Privacy, Security and Breach Notification Rules so that compliance gaps can be addressed in advance of the audits rather than as a result of an audit. 

Contributor: Jeffrey Dunifon




Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.