Getting Ready for Phase Two HIPAA Audits

The federal Office of Civil Rights (OCR) is now in Phase 2 of a Health Insurance Portability and Accountability Act's (HIPAA) audit that will review policies and procedures adopted and employed by covered entities and their business associates.

OCR is a division of the Department of Health and Human Services tasked by the Health Information Technology for Economic and Clinical Health Act (HITECH) to audit covered individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a range of business associates of these entities for compliance with HIPAA's Privacy, Security, and Breach Notification Rules. OCR officials said the audit will help the federal agency find potential problems before they arise. OCR also hopes to refine its ability to advise healthcare organizations and contractors about handling confidentiality requirements of protected health information (PHI).


Periodic OCR audits are required by HITECH, which was passed in 2009. Covered healthcare companies, contractors and business associates that may have contact with secured records are subject to the audits to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

Phase 1 audits occurred in 2011 and 2012. Phase 1 audits looked only at healthcare companies. Phase 2 will cover healthcare companies and business associates.

This round of audits is expected to consist of 200 desk and on-site audits. Most will be desk audits - audits focusing on document review. OCR anticipates that its desk audits should encompass two rounds, a first round for the healthcare agencies, and a second round for business associates. OCR notes that desk audits should be done by December, and on-site audits should begin later this year.

It is important to note that any healthcare company chosen for a desk audit may be selected for an on-site audit.



First, OCR will send an email to healthcare companies and business associates asking to verify contact information. This is referred to as a "pre-audit questionnaire." It will ask:

  • Business size.
  • Business type.
  • Scope of operations.

OCR will use this information to create a pool of audit targets. The OCR plans to make the audit selections as representative as possible using size, sector and geographic location as criteria.


Companies and business entities selected for the first round of desk audits will get an email from the OCR requesting documents and other information. The document request will focus on company HIPAA Privacy, Security, and Breach notification rules. Specific targets are:

  • Risk analysis.
  • Notice of privacy practices.
  • Response to request for access to the PHI.
  • HIPAA Security Rule risk analysis
  • Implementing HIPAA policies and procedures.
  • A breach notification process.
  • Updated Notice of Privacy Practices that reflects HIPAA Final Rule modifications.
  • Encryption on laptops and other devices with PHI.
  • Updated inventory of devices with PHI and information system assets. This includes mobile devices.
  • A physical security plan for every location with PHI.
  • Regular staff training on PHI security, security and breach response policies.
  • Patients' timely access to PHI.

Those selected for participation in Phase one have 10 business days to submit the requested documents through an audit-specific portal on the OCR website. OCR will review the submitted documents and come up with draft findings. These drafts will be shared with the audited entities, who will then have 10 days to respond to the initial report. Written replies will be included in the final audit, and the audited company will get a copy of the final report.


Those chosen for on-site audits will get an email notifying them of selection. The on-site audit will take three to five days, depending on the size of the entity. These audits will be more detailed and have a broader focus on compliance with specific HIPAA regulations.

A draft report will be sent to the audited entities, and they will have 10 days to respond with written comments. The audited company will get a copy of the final report.

If the audits find any serious issues, OCR may launch a compliance review.

OCR will not notify the audited entities when the reports are made generally available. However, a Freedom of Information Act (FOIA) request may require OCR to release audit notification letters and other audit information which could identify the audited health care companies and business associates.


The protocols for the Phase 2 audits are listed on the Health and Human Services website linked here: on the OCR website.

Any entity and business associate that comes under HIPAA oversight needs to prepare for an audit.

Four Ways to Prepare for a Potential OCR Audit:

1) Make sure emails from OCR are not routed to the junk or trash folders. Emails will come from Have IT staff configure email protocols and filters to route emails from this address to the applicable inbox. Advise any business associates to do the same. OCR will, however, use public contact information for any selected entity that does not respond to the email request.

2) Prepare a list of business associates. OCR will ask for this. Every covered health care business and business associate should evaluate compliance with HIPAA's Privacy, Security, and Breach Notification Rules with a regular self-inspection covering:

3) Make sure the audit response team is ready. Any entity selected for the audit only has 10 days to reply to the request for information and 10 days to reply to any draft findings. The team has to be ready to go.

4) Have a data mapping exercise. Identify PHI storage and track data flow within the healthcare company and applicable business associate (or associates). This will help identify weak points in HIPAA compliance areas.

Even if a health care company is not chosen for an audit, these exercises are helpful. They show how prepared a health care company is and how well it complies with HIPAA regulations.

It is important to comply with HIPAA's guidelines, audits notwithstanding. If you need assistance, or find yourself subject to an OCR audit, contact the Medicaid team at Levy Pruett Cullen today.

With two decades of experience defending practitioners an healthcare providers from allegations of Medicare and Medicaid fraud (linked to page), improper coding or billing, accepting kickbacks, false medical claims, overbilling, improper coding practices, unnecessary medical treatment, altered documents, Department of Audits and Accounts (DOAA) recoupment, improper insurance collections and duplicate billings, or prescription drug claims, Levy Pruett Cullen is a law firm uniquely tailored to your needs.