On March 21, 2016, the HHS Office for Civil Rights (OCR) announced that it has begun “Phase 2” of audits of covered entities and their business associates for compliance with the HIPAA Privacy, Security and Breach Notification Rules (“HIPAA Rules”). Phase 1 was limited to a pilot program designed to develop a standard set of audit protocols.

In Phase 2, OCR intends to review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the HIPAA Rules. Although these will primarily be desk audits, some on-site audits also will be conducted.

OCR plans to begin the process by sending an email to covered entities and business associates requesting verification of the entity’s address and contact information. OCR then intends to transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees from which they will create potential audit subject pools. OCR has cautioned covered entities that the email may be incorrectly classified as spam and they expect entities to check their junk or spam email folders for emails from OCR. The email will come from OSOCRAudit@hhs.gov and an example of the email attachment can be found here.

While it might be tempting to ignore an email from OCR in order to avoid becoming part of the potential audit pool, OCR has made it clear that if an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool. Therefore, an entity that does not respond may still be selected for an audit or subject to a compliance review. A Q&A on the HHS website indicates that every covered entity and business associate is eligible for an audit. These include covered individual and organizational providers of health services, health plans of all sizes and functions, health care clearinghouses, and a range of business associates of these entities.

OCR will post updated audit protocols on its website closer to conducting the 2016 audits. The audit protocol will be updated to reflect the final HIPAA Rules and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities. Plan sponsors and business associates should be on the lookout for an email from OCR and review their HIPAA policies and procedures for compliance in case they are ultimately selected for a Phase 2 audit.