On July 11, 2016, the Department of Health and Human Services – Office for Civil Rights (“OCR”) sent email requests to 167 health plans, health care providers, and health care clearinghouses (“Covered Entities”) for materials related to their compliance with the Privacy, Security, and Breach Notification Rules of the Health Insurance Portability and Accountability Act, as implemented at 45 C.F.R. Parts 160, 162, and 164 (“HIPAA”). These requests are part of Phase 2 of OCR’s HIPAA Audit Program (the “Audit Program”). We have provided further details regarding the focus of the requests and other considerations below.

Audit Program Overview

The Audit Program covers both Covered Entities and, as a later phase, certain service providers that use or access protected health information (“PHI”) to provide services to or for Covered Entities, known as “Business Associates”. OCR will conduct its initial review via a “desk audit,” that is, a review of the materials submitted by the contacted organization to OCR, but has not ruled out the possibility of on-sight inspections later in the Audit Program. OCR has stated that its primary objective in conducting the Audit Program is to improve the compliance of the audited organizations and develop tools and technical guidance to help the industry comply with HIPAA’s requirements. Our more detailed outline of the Audit Program is available here.

Areas of Focus

OCR has selected certain key requirements of the specific Privacy, Security, and Breach Notification Rules under HIPAA as its focus for this initial request for information:

  • Privacy Rule – Notice of Privacy Practices and Access. Under the Privacy Rule, Covered Entities are required to provide individuals with a Notice of Privacy Practices (“NPP”), which describes individuals’ rights with respect to their PHI and related privacy and security practices of the organization. OCR’s review of these requirements will focus on the content of the NPP and provision of the NPP by electronic means (e.g., through email). Additionally, OCR will be reviewing Covered Entities’ compliance with respect to individuals’ right to access their PHI. Under HIPAA, this right includes specific requirements for the timing, format, and content of the PHI that must be provided.
  • Breach Notification Rule – Timeliness and Content of Notification. Under the Breach Notification Rule, Covered Entities are generally required to provide notice in the event of a breach of PHI. Dependent on the circumstances, this may include notice to individuals, the Secretary of Health and Human Services, and the media. OCR will be reviewing how Covered Entities have complied with the specific requirements regarding the timing and content for breach notice prescribed by HIPAA and related issues.
  • Security Rule – Risk Analysis and Risk Management.  Under the Security Rule, Covered Entities must conduct a thorough analysis of the risks and vulnerabilities posed to electronic PHI (“ePHI”) and implement security measures that reduce such risks and vulnerabilities to an appropriate level. Both the risk analysis and the risk management must be thorough and must take into account factors such as: (i) the size, complexity, and capabilities of the Covered Entity; (ii) the cost of security measures; (iii) the IT infrastructure; and (iv) the probability and criticality of the risks to ePHI.

Evaluation and Next Steps

Contacted Covered Entities were given until July 22 (10 business days) to respond to OCR’s inquiry. While the selected requirements will be evaluated based on the specific criteria identified in the Audit Protocol, OCR will generally be reviewing items such as policies and procedures to comply with HIPAA requirements and documentation of compliance (e.g., documentation demonstrating compliant breach notification to individuals). OCR will also be collecting information from the Covered Entities regarding their Business Associates, which it will use in directing its review of such organizations later in the Audit Program.

Contributors – Michael Egan and Jeff Dunifon


Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.