HIPAA Phase 2 Audit Program

Health Care Law Update

Date: April 19, 2016

Key Notes:

  • Phase 2 of the HIPAA Audit Program is beginning.
  • The audit protocol includes roughly 180 areas of potential compliance review.
  • Covered entities and business associates should prepare for the audits.

The HHS Office for Civil Rights (OCR) has announced that it is beginning Phase 2 of the HIPAA Audit Program, the goal of which is to continue assessing compliance with the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules). Phase 1 occurred throughout 2011 and 2012 as a pilot audit program. While Phase 1 focused only on covered entities, Phase 2 will focus on covered entities and their business associates. At the conclusion of Phase 2, OCR will identify best practices and provide guidance on compliance challenges faced by covered entities and business associates.

As a result of the Phase 1 audits and OCR’s subsequent enforcement efforts, OCR Director Jocelyn Samuels stressed the need for companies to safeguard paper records, maintain business associate agreements with all business associates, perform comprehensive risk analyses of all sources of protected health information (PHI), and use the results of the risk analyses to develop and implement a robust risk management plan. She emphasized that OCR is serious about holding organizations accountable for HIPAA compliance.

Selecting Auditees

OCR has already begun to identify appropriate covered entities and business associates for Phase 2, and as part of the verification process, it is sending communications via email to potential auditees. All covered entities and business associates are expected to check junk and spam emails to ensure they have not missed an email from OCR. OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees. This data will be used to create a pool from which auditees will be selected.

OCR will be requesting that covered entities identify their business associates, so it is recommended that covered entities now compile a list of their business associates, complete with contact information. OCR posted a sample template for potential auditees to use to identify and provide detailed information about their business associates. The information collected by OCR will be used to help identify business associates for the Phase 2 audits.

Audit Process

Phase 2 will begin with desk audits, which will be followed by onsite audits. Selected entities will be asked to provide documents and data through a secure audit portal on OCR’s website. These documents must be uploaded to the portal within 10 business days of the information request. Once OCR completes and shares its draft findings, auditees will have 10 business days to respond. The auditees’ written responses will be included in the final audit report. Given the short turnaround times, covered entities should have teams in place to quickly respond to OCR requests.

Audit Protocol

Potential auditees may wish to review the audit protocol that OCR will use in the Phase 2 audits. The protocol covers the Privacy Rule, Security Rule and Breach Notification Rule requirements, as well as general instructions. The updated protocol lists a total of approximately 180 areas of potential compliance review by auditors.

The audit protocol is a useful tool that any company can use to evaluate their HIPAA compliance status and to prepare for a review or investigation.

Preparing for a Phase 2 Audit

Covered entities and business associates can prepare for a Phase 2 audit by:

  • Organizing a team of employees who will be responsible for responding to audit requests.
  • Carefully reviewing the audit protocol and collecting all policies, procedures and documents that the auditors will request. The protocol is a helpful roadmap.
  • Confirming that the organization recently completed a comprehensive security risk assessment.
  • Compiling a list of all business associates and copies of business associate agreements.
  • Ensuring that the organization has implemented a breach notification policy that complies with the breach notification requirements under the HIPAA Omnibus Rule, and that related implementation documents, such as risk assessments and notification letters, are available.
  • Confirming that all workforce members have received appropriate training on HIPAA policies and procedures.
Coming Soon: Preparatory Training

Thompson Hine will be offering a detailed training session to prepare participants for the Phase 2 audits. Look for an invitation soon.


For more information, please contact:

Rebeccah C. Raines

Cori R. Haper

John L. Green

or any member of our Health Care group.

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.