Health Care Law Blog

The purpose of the Phase 2 audit program is to allow OCR to review the policies and procedures of covered entities and business associates to meet selected standards and implementation specifications of the HIPAA privacy, security, and breach notification rules (HIPAA Rules). OCR has indicated that it will utilize the Phase 2 audit findings to identify technical assistance it should develop for covered entities and business associates. To the extent an audit reveals a serious compliance issue, OCR may conduct a compliance review that could lead to civil monetary penalties.

The Audit Process                                     

OCR is randomly contacting covered entities and business associates that represent a wide range of healthcare providers, health plans, healthcare clearinghouses and business associates to obtain information. Once OCR obtains contact information for covered entities, it will require completion of a questionnaire that asks about the covered entity’s operations and arrangements with business associates. Communications from OCR will be sent via email.

Auditees will be chosen through random sampling of the audit pool for participation in either a desk or an onsite audit. In terms of timing, covered entities who are selected for a desk audit must submit requested information within 10 business days of the information request. All documents are to be submitted digitally through the OCR's online portal. Auditees will be provided with draft findings and will have 10 business days to review and return such findings with comments. The auditor will then prepare a report within 30 business days of receiving comments.

Onsite audits, which will be more comprehensive than desk audits, will be conducted over a three to five day period at the auditee’s location. Like with desk audits, auditees will be provided with draft findings and will have 10 business days to review and return them with comments. The auditor will then prepare a report within 30 business days of receiving comments.

Now is the Time to Prepare and Assess Risks

Covered entities and business associates should take the appropriate steps to prepare for the possibility of a Phase 2 audit. It's not just a smart legal and business practice to evaluate whether your organization is safeguarding protected information, it's required by HIPAA. 

In order to fulfill these requirements, all entities subject to HIPAA's Security Rule must run a risk assessment. Additionally, covered entities and business associates should review their HIPAA privacy policies and procedures to ensure that they are up-to-date with recent legal changes. Finally, covered entities and business associates should monitor their operations for purposes of HIPAA compliance.

For help completing your risk assessment, drafting policies based on your assessment and/or preparing for a Phase 2 audit, please contact Mindi M. Johnson.