The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) has announced that they will be starting Phase 2 of its Health Insurance Portability and Accountability Act (HIPAA) Audit Program.  While Phase 1 audits only concerned covered entities, Phase 2 audits will consist of a review of the policies and procedures of both covered entities and business associates to determine if they meet the requirements under HIPAA Privacy, Security, and Breach Notification Rules.


The OCR is currently in the process of contacting potential auditees to verify contact information.  These communications will be sent only via e-mail.  The OCR has stated that this initial e-mail may be categorized as junk by certain spam filters; therefore, covered entities and business associates should regularly check their spam or junk e-mail folders to ensure that they receive e-mails from  Once the contact information has been confirmed, OCR will send a pre-audit questionnaire to collect information about the “size, type, and operations of potential auditees.”  Based on the data gathered from the questionnaires, the OCR will determine their final pool of auditees.


Phase 2 audits will consist of both desk and on-site audits.  Desk audits will include requests to provide documentation demonstrating compliance with HIPAA Privacy, Security, and Breach Notification Rules.  Once a covered entity or business associate receives an audit request, they will have 10 business days to respond.  All documents must be submitted electronically to a secure online portal provided by the OCR.  The desk audits are expected to be completed by the end of December 2016.


Entities may also be selected for on-site audits.  If selected, the OCR will notify the entity via e-mail, schedule a date, and provide information about the on-site audit process.  The on-site audits will last three to five days, depending on the size of the entity.


Action Items


Covered entities and business associates should monitor their e-mail inboxes and timely respond to requests they may receive from OCR to verify their contact information and/or complete the pre-audit questionnaire.  Employers sponsoring group health plans should also review their compliance with HIPAA Privacy, Security, and Breach Notification Rules; ensure their policies, procedures, and training are up to date; and have supporting documentation readily available.  Examples of such documents include, but are not limited to, HIPAA Privacy Policy and Procedures Manuals, business associate agreements, and HIPAA training materials.


Additional Information



The information and materials on this blog are provided for informational purposes only and are not intended to constitute legal or tax advice. Information provided in this blog may not reflect the most current legal developments and may vary by jurisdiction. The content on this blog is for general informational purposes only and does not apply to any particular facts or circumstances. The use of this blog does not in any way establish an attorney-client relationship, nor should any such relationship be implied, and the contents do not constitute legal or tax advice. If you require legal or tax advice, please consult with a licensed attorney or tax professional in your jurisdiction. The contributing authors expressly disclaim all liability to any persons or entities with respect to any action or inaction based on the contents of this blog.

Bonnie Mangels – Bonnie is the Corporate Counsel and Senior Compliance Manager for Sequoia. When not inundated in paperwork and legal briefs, her interests include arts and crafts, bunnies, and the Bay Area.