Tuesday, 29 March 2016 02:05

More Details on Office for Civil Rights, (OCR) Launches Phase 2 of HIPAA Audit Program.

Written by Duane Lansdowne

Phase 2 of HIPAA Audit ProgramIf you are a Covered entities (healthcare providers) or a business associates who has never been audited nor have your heard of anyone who has.

Please read this message about OCR 2016 audits...

Although HIPAA is an important set of laws passed to protect the sensitive medical information handled by millions of covered entities and business associates, Health and Human Services Office for Civil Rights (OCR) has never established a permanent compliance audit program. Auditing activity to date by OCR has consisted of a pilot program of audits conducted in 2011 and 2012, involving less than 200 covered entities.  It is no wonder that many medical providers have had little concern about ever being subject to a HIPAA compliance audit, and hence many have made compliance a low priority.  They have never been audited nor have they heard of anyone who has.  This situation is now going to change.

On March 21, 2016, OCR announced its Phase 2 Audit Program. With the alarming increase in patient data breaches, OCR has felt intense pressure from Congress and The Office of the Inspector General (OIG) to get this long delayed program underway.  Organizations subject to HIPAA need to take this development seriously, as it is a signal that they must now put their compliance programs in place.

So who will be audited in the Phase 2 Program?

Unlike the Phase I Pilot Audits, Phase 2 will not be limited to just larger covered entities.  OCR is aware that the vast majority of smaller organizations are not HIPAA compliant and that there is also a serious compliance gap among business associates, so Phase 2 will cover a larger and more diverse pool of organizations.  According to the OCR website:

OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates.  By looking at a broad spectrum of audit candidates, OCR can better assess HIPAA compliance across the industry – factoring in size, types and operations of potential auditees.

Who will be selected?

Organizations will be contacted via email to obtain and verify contact information (PDF).  It will be important to ensure that this email does not end up in a SPAM or Junk folder, to avoid being flagged as not responding.  Failing to respond will invite additional scrutiny.  Just the act of contacting entities to let them know they are eligible should give that organization a good reason to start paying attention to HIPAA, if they have not done so already. Organizations will be required to complete a pre-audit questionnaire.  Once this data has been collected, OCR will select organizations to participate in the actual audit program.

What is the audit process?

If you are selected for an audit, it will most likely be a desk audit.  This means that you will be required to upload specified documents to a secure portal that OCR has developed for this purpose.  The specific documents that will be requested have not yet been identified, so organizations should prepare for this by putting a comprehensive compliance program in place, as it will provide all of the documentation which could be requested.  You will have only 10 business days to upload your documents. After the documents are uploaded they will be reviewed by an investigator.  The results of the audit will obviously vary, but a further compliance review could be initiated.  No one should take this program lightly – late, incomplete or inappropriate responses could be very costly.

Is this just one time event?

This is a precursor to a permanent audit program. Prudent organizations should assume they will be audited sooner or later.

How can Acclamar, LLC! help me?

Our HIPAA compliance service will get you fully prepared for the upcoming audit program.  However, we will be going one step further.  If your organization is selected for the audit, we will provide assistance in helping you to respond.  There will be no extra fee for this; the service will be included in our HIPAA Compliance Premier Subscription.

When is all this supposed to happen?

The process of verifying contact information has already begun, and OCR has stated that the desk audits will be completed  by December 2016.

Preparing for HIPAA Audits

There are still many unanswered questions about the program.  OCR will have to fill in the details over the coming weeks and months.  However, one thing is very clear – if you are subject to HIPAA, you should be preparing to get audited.

Below is some information to help organizations make sure they are prepared for an OCR audit as well as lower the chance of having a data breach.

Things you must do!

Covered Entities

Have you performed a Risk Assessment?
Have you provided HIPAA security training for all employees?
Do you have written policies and procedures on how to protect patient information?
Do you have an incident response plan?
Do you have updated Business Associate Agreements?

Business Associate

Have you performed a Risk Assessment?
Have you provided HIPAA security training for all employees?
Do you have written policies and procedures on how to protect patient information?
Do you have an incident response plan?
Do you have Business Associate Agreements with your subcontractors?

If you need help with your technology, IT security, HIPAA, Meaningful Use or any aspect of your practice or compliance please do not hesitate to call us. We have been proudly serving the medical community since 2010.

Thank you to our friends at HSN for providing the details of this recent development.

Last modified on Tuesday, 29 March 2016 11:39
Duane Lansdowne

Duane Lansdowne

E-mail: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Add comment

Fill Out This Form to Secure YOUR FREE Risk Assessment and Migration Plan
*Company Name
Address 1
Address 2
Zip/Postal Code

Important! We hate spam as much (or more!) than you and promise to NEVER rent, share, or abuse your e-mail address and contact information in any way.

Blog Login


We were particularly pleased that we saved over $5,000 and avoided a major technical error

  • Dickinson J. Miller
  • Washington, DC
  • Read Full
Show All Add Testimonial

Contact Us


1100 N Glebe Road
Suite 1010
Arlington, VA 22201
Phone: (703) 270-1007
Fax: (703) 831-8758
Toll-Free: 703-270-1007

See More

Newsletter Sign Up

*First Name
*Last Name

Social Media

Come check out our social media sites!


facebook twitter linkedin youtube plus google red rss