It has been confirmed that the US Department of Health and Services Office for Civil Rights (OCR) will conduct Phase 2 of the Health Insurance Portability and Accountability Act (HIPAA) audit programme. It is thought that Phase 2 will focus on areas of greater risk to the security of protected health information and on key areas of non-compliance identified in Phase 1 of the investigation.

The OCR is currently contacting up to 800 covered entities and 400 business associates to complete a pre-audit questionnaire. Then, from this pool, the OCR will select the organisations to be audited.

Organisations should be mindful to the fact that, where an audit reveals serious compliance concerns, it is within the remit of the OCR to initiate a compliance review that could, ultimately, lead to civil money penalties.