The Office for Civil Rights (OCR) announced Phase 2 of its HIPAA audits, according to a public announcement. In its 2016 Phase 2 Audit Program, OCR will review the policies and procedures of selected covered entities and business associates to examine compliance with the HIPAA Privacy, Security and Breach Notification Rules.

Every covered entity and business associate is eligible for an audit, which will consist of three phases. The first set of audits will be desk audits for covered entities while the second round will consist of desk audits of business associates. The third set of audits will be onsite and more comprehensive than the first two rounds. Using this data, OCR will review its best course of action to better assist covered entities and business associates in their adherence with HIPAA, factoring in size, types and operations of the auditees.

OCR will begin Phase 2 of the HIPAA audits by verifying covered entities’ and business associates’ contact information. Accordingly, all covered entities and business associates should look for an email from OSOCRAudit@hhs.gov. It is important to check spam folders, as OCR communications may be mistakenly classified as spam. If an entity does not respond, OCR will use publicly available information about the entity to create its audit subject pool. Consequently, an entity that does not respond may still be subject to an audit or compliance review.

In preparation for these audits, covered entities and business associates should consider carefully reviewing their HIPAA security and privacy policies and procedures and training programs to ensure compliance with HIPAA.