HIPAA Compliance – Phase 2 Audit FAQs and the Audit Protocol

Figuring out the details of whether your business is in compliance with HIPAA is an ongoing challenge. At our last HIPAA related Lunch & Learn event, several of our attendees were looking for information on how HIPAA will be conducting its latest phase of audits – how businesses will be selected to be audited (particularly business associates), when the different types of audits will be conducted, and more. Here are some of the latest answers from the Health and Human Services Office for Civil Rights


HIPAA Compliance – FAQs and the Audit Protocol

The OCRs website offers some helpful definitions and answers to frequently asked questions concerning the audit process. A few important highlights include:


  • Timing for audits – The Health and Human Services Office for Civil Rights (OCR) began audits for Phase 2 of the HIPAA Audit Program back in March 21, 2016. The OCR states that “Phase 2 is currently underway. Selected covered entities [CE] received notification letters July 11, 2016. Business associate [BA] audits will start in the fall.” The OCR also warns businesses to double check that the emails are not blocked by any spam filters.


  • Basis for selecting those who will be audited – The OCR states that for Phase 2, they are “identifying pools of CEs and BAs that represent a wide range of health care providers, health plans, health care clearinghouses, and business associates.” Their plan is to examine a broad spectrum of candidates to allow them to better understand the state of HIPAA compliance across the industry.


As far as BAs go, the OCR will be asking CEs who are being audited “to identify their business associates.” They encourage CEs “to prepare a list of each business associate with contact information so that they are able to respond to this request.”


  • Different sets of audits – The OCR’s first set of audits will be desk audits of CEs, followed by a second set of desk audits of BAs. The third set of audits will be onsite, with some desk auditees being subjected to onsite audits. (You can take a look at the OCR 2016 HIPAA Desk Audit Guidance on Selected Protocol Elements for additional details.)


You can also take a look at the actual audit protocol along with some definitions of terms at the OCR’s website. This lengthy table breaks down the audit protocol according to Audit Type, Section, Key Activity, Established Performance Criteria, and the Audit Inquiry.