Skip to Content

Federal Regulators Launch New Round of HIPAA Privacy, Security and Breach Notification Audits


The Department of Health and Human Services Office for Civil Rights (“OCR”) has announced it is beginning a new round of HIPAA compliance audits, this time targeting not only covered entities, but also business associates.

Under a “Phase 1” pilot program conducted in 2011 and 2012, OCR performed onsite HIPAA compliance audits of 115 covered entities, including health plans, health care providers and health care clearinghouses.  The new program, termed “Phase 2,” initially will involve desk audits of the policies and procedures implemented by covered entities and business associates to comply with the HIPAA Privacy, Security and Breach Notification Rules.  OCR expects to complete all desk audits by the end of 2016.  A later stage of Phase 2 will include a limited number of onsite audits.  If an audit report indicates a serious compliance issue, OCR may investigate the audited organization.

OCR is now in the process of identifying potential auditees by sending out emails requesting covered entities and business associates to verify their address and contact information.  Not all organizations that are contacted will be audited.  OCR does not say how many organizations it will audit, although its goal is to include a variety of organizations based on size, geographic location and other factors.

In past statements, OCR has suggested it will focus Phase 2 Audits on areas in which covered entities frequently have been found to be noncompliant, including security risk assessment and risk management, breach notification, notice of privacy practices, individual access to protected health information, workforce training, device and media controls and the security of transmitted information.

What Can Covered Entities and Business Associates Do Now to Prepare?

Covered entities and business associates may want to conduct a HIPAA compliance review to ensure they are prepared if selected for audit by OCR.  Important areas to cover include the following: 

  • Review all HIPAA Privacy, Security and Data Breach Notification policies and procedures to ensure they are comprehensive and fully compliant.
  • Ensure that compliant business associate contracts are in place with covered entities, business associates and subcontractors, as appropriate.
  • If a security risk assessment has not been conducted recently, conduct an assessment and implement any necessary changes to security policies and procedures.  If the last risk assessment is up to date, confirm that any recommendations based on the assessment have been implemented.
  • Verify that HIPAA training is being conducted for new personnel and for existing personnel at appropriate intervals with appropriate documentation.
  • Confirm that other HIPAA documentation is compliant and properly maintained.  For example, verify that the organization’s HIPAA privacy notice contains all required elements and is being properly distributed and confirm that disclosures of protected health information requiring an accounting are being properly recorded and documented.

Morris, Manning & Martin helps clients build and maintain HIPAA compliance programs, conduct HIPAA compliance reviews and respond to OCR audits, investigations and enforcement actions.


Upcoming Webinar - Wed. April 13 @ Noon ET

Latest News on HIPAA 2016 Requirements and How to Prepare for an Audit

Join us for a complimentary webinar to discuss the recent HIPAA enforcement activities, Government HIPAA Audits for Covered Entities and Business Associates and HIPAA requirements for 2016.

All attendees will receive copies of the materials. Georgia CLE credit is available for attorneys.

Registration is required for this event.