The Office for Civil Rights (OCR) has released additional information about its Phase II audits for compliance with the Health Insurance Portability and Accountability Act (HIPAA). The long-anticipated audits began in early July and will be carried out in three waves. OCR stated that it expects to carry out 200-250 audits in total.

The first wave, currently in progress, consists of desk audits that focus on covered entities only. According to OCR, the agency is in the process of auditing 167 such covered entities. As part of the audits, the covered entities have been asked to identify their business associates. The second wave, focusing on business associates, will begin in late September, and will again involve desk audits. OCR indicated it will select the business associate auditees based in part on the business associates identified during the first wave. The third wave, scheduled to roll out in 2017, will involve a small number of comprehensive on-site audits. OCR noted it could opt to conduct an on-site audit for an entity that had already undergone the desk audit process.

OCR also released several guidance documents related to the audits, including an explanation of the HIPAA protocols that are being examined during the first wave of audits and a slide presentation prepared by OCR for the covered entity auditees.

TIP: Companies that have signed business associate agreements should assess their compliance with HIPAA ahead of the second wave of audits. Companies can use the audit protocols OCR released earlier this year to help determine how their HIPAA programs, including related policies and procedures, measure up against the agency’s expectations.