Phase 2 -- HIPAA Security Audit Program

In June and July of 2016, the Office for Civil Rights (“OCR”) had notified a number of health care covered entities (“CEs”) and their respective business associates (via notification letters/emails) that they will next be performing individual audits of said entities/associates through their Phase Two HIPAA Security Audit Program. 

The goal of this audit program is “to examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities” to ensure compliance with HIPAA privacy/security, protected health information, and breach notification guidelines. In short, this audit will take place to ensure the CEs/business associates have documented, provided training, and implemented HIPAA Privacy and Security Compliance Plans within their organization.   

The audits are scheduled to begin in the fall of 2016. The CEs to be audited will be selected by the OCR through random sampling. As stated above, the CEs to be audited have been/will be sent notification letters/emails from the OCR (example letter), addressed to the respective CE’s primary contact person. The respective CE will have 14 days to respond to the notification letter. The notification letter/email will provide the CE’s contact person a link to a pre-screening questionnaire  to be filled out; the responses will be saved.  

In preparation for these upcoming audits, the OCR also released, on July 27, 2016, their Phase Two HIPAA Audit Guidance. The guidance is to assist CEs in preparation for OCR’s upcoming entity audits and answers questions in regards to preparation for said audits, timing of the audits, explanation of the audit process and next steps upon completion. 

CEs to be audited include: 

  • Both individual and organizational providers of health care services
  • Health insurance plans
  • Clearinghouses
  • A “range” of business associates for the CEs  

CEs will be asked to identify their current business associates for the auditors to review. The auditors will and then select business associates from this list for individual audit. The audits will be performed in both “desk audit” and “onsite audit” versions. 

The OCR states “covered entities that are the subject of an audit must submit requested information via OCR’s secure portal within 10 business days of the date on the information request. All documents are to be in digital form and submitted electronically via the secure online portal.”

Upon receipt of these requested documents, “the auditor will review the information submitted and provide the auditee with draft findings. Auditees will have 10 business days to review and return written comments, if any, to the auditor. The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response. OCR will share a copy of the final report with the audited entity.” 

For more information on these audits and HIPAA in general for CE’s, please visit

Steven Bisciello is a Health Care Services Group Senior Manager experienced in revenue enhancement programs, health care litigation, compliance and physician practice management.

* Required