The long-awaited HIPAA Phase 2 audits draw ever nearer, and more information is now available about timing and content. Here are some resources:

  • The revised HIPAA Audit Protocol is posted. While comments are invited, it is now clear that OCR will not be reviewing comments and then finalizing the protocol; this is the final version.
  • OCR posted a pre-screening questionnaire. This questionnaire is being sent out to covered entities and business associates, and OCR will select parties to audit from this pool.
  • OCR has also posted a sample template to be used by covered entities contacted by OCR as potential audit targets to identify their business associates.

Deven McGraw, Deputy Director of Health Information Privacy at OCR, said in an interview that

OCR plans to conduct this year about 200 remote desk audits focusing on compliance with only a small subset of HIPAA requirements and 10 to 25 “full scale audits” that will involve onsite visits.

Thus, while the Phase 2 audit protocol is more comprehensive than the Phase 1 protocol, just a fraction of it will be deployed in each of the desk audits. OCR experience with Phase 2 will inform development of the “permanent” audit program.

More recently, McGraw “announced at an event that covered entities would receive letters about desk audits in May, while business associates will receive such letters in June or July.”

While the number of covered entities and business associates to be audited in this round is tiny, relative to the size of the regulated community, it is worth noting that data breaches have been in the news — and these likely barely scratch the surface of the exposure that covered entities and business associates have to privacy and security risks. It is always a good time to ensure that HIPAA compliance plans and their implementation are up to snuff.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

One reply on “HIPAA Phase 2 Audit Protocol Released; More Details Emerge”

  1. On July 14, 2016, OCR announced that it has sent out notices of desk audits to selected entities on July 11:

    July 14, 2016
    OCR’s Phase Two HIPAA Audits Have Begun
    Phase Two of OCR’s HIPAA audit program, which officially began a couple of months ago, has officially kicked into high gear. Selected covered entities have now received notification letters regarding their inclusion in the desk audit portion of the audit program. Letters were delivered on Monday, July 11, 2016 via email to 167 health plans, health care providers and health care clearinghouses (covered entities). The desk audits will examine the selected entities’ compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules.
    The desk audits are focused examinations of documentation of entity compliance with certain requirements of the HIPAA Rules (see table below). OCR selected these provisions for focus during the desk audits because our pilot audits, as well as our enforcement activities, have surfaced these provisions as frequent areas of noncompliance. Entities received two email communications, which were sent to the contact information confirmed by the entity during the pre-audit phase of the program. Nevertheless, these emails may be incorrectly classified as spam in the recipient’s email service. Covered entities should monitor their spam filtering and junk mail folders for emails from One e-mail includes a notification letter providing instructions for responding to the desk audit document request, the timeline for response, and a unique link for each organization to submit documents via OCR’s secure online portal. A second email contains an additional request to provide a listing of the entity’s business associates and also provides information about an upcoming webinar, where OCR will explain the desk audit process for auditees and take their questions. Entities have 10 business days, until July 22, 2016, to respond to the document requests. Desk audits of business associates will follow this fall.
    For more information, see link to
    Requirements Selected for Desk Audit Review
    Privacy Rule Notice of Privacy Practices & Content Requirements [§164.520(a)(1) & (b)(1)]
    Provision of Notice – Electronic Notice [§164.520(c)(3)]
    Right to Access [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
    Breach Notification Rule Timeliness of Notification [§164.404(b)]
    Content of Notification [§164.404(c)(1)]
    Security Rule Security Management Process — Risk Analysis [§164.308(a)(1)(ii)(A)]
    Security Management Process — Risk Management [§164.308(a)(1)(ii)(B)]
    To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at link to
    Follow us on Twitter: link to

Comments are closed.