On March 21, 2016, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it has commenced Phase 2 of the HIPAA Audit Program. Phase 1 of the HIPAA Audit Program ran from 2011-2012 and produced several notable findings, including that two-thirds of covered entities had not performed a risk assessment as required by the HIPAA Security Rule.

Phase 2 will launch with desk audits of covered entities. During these desk audits, covered entities will submit documentation via OCR’s secure online portal. The documentation, which must be submitted within ten days of the initial request, will help OCR auditors examine the entities’ compliance with specific requirements of the HIPAA Privacy, Security or Breach Notification Rules. Following these initial audits, OCR plans to conduct desk audits of business associates. After the desk audits have been completed, some covered entities and business associates may be selected for onsite audits that will be conducted over a three to five day period and will examine a broader scope of HIPAA requirements.

Although the Phase 2 audits are intended to help improve compliance, OCR has indicated that it may initiate compliance reviews if an audit report reveals serious issues. OCR has stated that the desk audits will be completed by the end of December 2016, but has not determined a completion date for the onsite audits since they are contingent upon the results of the desk audits.

View the details of Phase 2 of the HIPAA Audit Program, including a list of frequently asked questions about the program.