Preparing for HIPAA Phase 2 Audits

In 2016 the Office of Civil Rights (“OCR”) rolls out its HIPAA Phase 2 Audits. Phase 2 audits will review both Covered Entities (“CEs”) and their Business Associates (“BAs”) and analyze their policies and procedures’ consistency with the privacy, security and breach notification requirements under HIPAA. OCR will perform desk audits on many types of providers, with a few on-site audits.

Some of our clients have already received requests for information regarding the Phase 2 audits. Are you prepared? This advisory provides an overview of the procedures and timing of Phase 2 audits and general areas to be reviewed by OCR.

Pre-Audit Screening and Questionnaire

OCR has already begun emailing letter requests to CEs and BAs asking them to verify addresses and contact information. OCR will use this information to develop an “audit subject pool.” CEs and BAs cannot avoid the audit by ignoring the request; if an entity fails to respond, OCR will use publicly available information about the entity and if audited the entity will be required to correct any misinformation. OCR encourages CEs and BAs to check their spam folders to ensure that this email request is not overlooked.

Subsequent to the verification email, the entity will receive a pre-audit questionnaire requesting information about the provider’s size, services, operations, and a list identifying all BAs. The list must include the name of the BA, type of services provided by the BA, point of contact, and secondary point of contact, if available.  OCR offers a sample template here and recommends that entities develop this list in advance of any OCR request.

Audit Process

OCR plans to conduct three rounds of audits for CEs and their BAs. OCR will audit CEs during the first round and BAs during the second round. Both the first and second rounds will be desk audits. OCR will conduct onsite audits during the third round, and some entities that were already desk audited may receive an additional onsite audit.

OCR will send a document request letter detailing the policies, procedures, and data the entity must provide to OCR. CEs and BAs must respond within 10 days of receipt of the letter via a new, secure audit portal on OCR’s website. Entities should submit the documents currently in use at the time of OCR’s request. OCR then has 10 days after receiving the entity’s response to provide a draft audit report and 30 days to provide the final report.

Desk audits will analyze policies, procedures, and documents that CEs and BAs use to comply with the privacy, security, and breach notification rules under HIPAA. OCR will employ a comprehensive audit protocol to analyze both content and implementation of CE and BA policies and procedures. The protocol is extensive, but in general it covers risk analysis, risk management, notice of privacy practices, individual’s right to access protected health information, and breach notification letters (for both content and timeliness). OCR’s document request will ask for copies of patients’ record requests and original or sample breach notification letters.

If you are selected for an onsite audit, OCR auditors will contact you via email to schedule an entrance conference during which the auditor will provide more information about the process. Onsite audits will cover a wider range of HIPAA compliance than desk audits. OCR expects each onsite audit to last approximately 3 to 5 days, depending upon the size of the entity. The same time frame described above applies to onsite audits – OCR draft reports are to be completed in 10 days and final reports within 30 days. OCR expects to distribute its final reports by December 31, 2016 to individual entities.


OCR states that the primary purpose for the Phase 2 audits is compliance improvement and that it will review and analyze information from the final reports to better understand compliance efforts and what types of technical assistance and corrective action would be most helpful to CEs and BAs. However, if an OCR audit indicates a serious compliance issue, the entity may be subject to further investigation and compliance review. OCR will not publish the results of audits or anything that identifies individual entities but is required to respond to requests under the Freedom of Information Act (“FOIA”) related to audit notification letters and audit results.


You need to act now to prepare for Phase 2 audits should OCR select your organization as a CE or BA for review.  CEs should either update or create a list of BAs, and review BA agreements to ensure that they are up to date and easily accessible.  CEs and BAs should also conduct internal audits for risk analysis and management to review policies and procedures and their implementation in the organization.

Should you or your organization have any questions regarding OCR’s HIPAA Phase 2 audits and the implications for your facility or practice, please contact Goodman Allen Donnelly.


This Client Advisory is for general educational purposes only. It is not intended to provide legal advice specific to any situation you may have. Individuals desiring legal advice should consult legal counsel for up to date and fact specific advice.