Last October in a  post called HIPAA Enforcement is About to get Serious, I explained that HHS was receiving significant pressure to increase its enforcement activities and was about to commence its “Phase 2” audit program.  After a slight delay in the launch date, yesterday HHS announced that the phase 2 audits are now getting off the ground.  You can read the full announcement here, but some highlights are:

  1. The targets of the audit are covered entities (presumably both health care providers and health plans) and business associates.
  2. The focus of the audit is to review the policies and procedures adopted by the entity to meet the privacy, security and breach notification rules.
  3. The audit program begins with an email from the HHS Office of Civil Rights asking for verification of the entity’s address and contact information.  Then you will receive an email with a pre-audit questionnaire.  HHS points out that it expects you to check your junk or spam email folders for communications from HHS.  Just because you do not respond to these inquiries does not mean that you will not be placed in the audit pool; in fact it may increase your chances of being selected from the pool.

You should alert your HIPAA compliance counsel if you receive any such communications from HHS.