One Beacon Street
Suite 1320
Boston, MA 02108

T 617.598.6700
F 617.720.5092


One Richmond Sq.
Suite 165W
Providence, RI 02906
T 401.454.0400
F 401.454.0404

March 23, 2016

Phase 2 HIPAA Compliance Audits Set To Begin

By Kelly McGee

UPDATE: After over a year of delays, the Health and Human Services Office of Civil Rights (OCR) has announced that it is beginning Phase 2 HIPAA audits. The OCR has stated that these audits will focus on reviews of policies and procedures put in place by covered entities and business associates to comply with HIPAA. The audits will be mainly desk audits, but the OCR will also conduct some on-site audits.

The Phase 2 HIPAA audits will commence with an email to verify an entity’s address and contact information, sent from the email address Be sure that your staff is on the lookout for an email from the OCR and procedures are in place to respond quickly.

**--- Original Post - 30 July 2015 ---**

Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Office for Civil Rights (OCR) was given a mandate to conduct periodic Health Insurance Portability and Accountability Act (HIPAA) compliance audits. In these audits, the OCR is tasked with assessing the compliance of providers, health plans and healthcare clearinghouses (referred to under HIPAA as “covered entities”) with the Security Rule, the Privacy Rule, and the Breach Notification Rule. The OCR conducted Phase 1 pilot audits in 2011 and 2012, and anticipated starting Phase 2 audits in late 2014. Although the Phase 2 audits have been postponed, recent actions by the OCR, such as sending out surveys to confirm covered entities’ contact information, indicate that the OCR could commence Phase 2 at any time.(1) Now is the time for covered entities to prepare for a HIPAA compliance audit, or potentially find themselves subject to large fines for non-compliance.

Findings of the Phase 1 Pilot Audits

During 2011 and 2012, the OCR conducted 115 Phase 1 pilot audits and found that covered entities typically struggle the most with Security Rule compliance, with 60% of the audit findings focusing on Security Rule issues. Healthcare providers had more compliance issues than health plans or healthcare clearinghouses, and small organizations were less compliant than larger organizations.

The OCR made it clear that demonstrating compliance means more than merely having policies and procedures. Covered entities must show that personnel are aware of and follow the policies and procedures that are in place. In addition, it is the responsibility of covered entities to identify risk and have a risk mitigation strategy. According to an analysis of the Phase 1 audit data, about 80% of providers and nearly 57% of health plans did not have complete or accurate risk analysis programs.

Preparing for Phase 2 Audits

Although the OCR has not yet begun Phase 2 audits, now is the time for covered entities to prepare. Below are suggested guidelines for covered entities to ensure that they are ready for audit review.

Initial Preparation
As an initial step, covered entities should immediately review their policies and procedures, as well as any HIPAA-related documentation, such as business associate agreements or breach logs, to ensure that such documentation complies with current HIPAA law. As part of the Phase 2 audits, the OCR will also request lists of business associates from some covered entities, particularly information technology-related business associates. Covered entities should review their business associate lists for accuracy.

The OCR will notify the covered entities selected for an audit by letter, and the covered entity may have only a short window of time to initially respond. Staff should be informed that such a letter may arrive, and of its importance. In addition, covered entities need to have their audit response protocol in place, including the staff member in charge of the response and the individuals on the response team.

Security Rule Compliance
The OCR placed a heavy emphasis on HIPAA Security Rule compliance in the pilot audits. The Security Rule establishes standards for administrative, technical and physician safeguards that covered entities must implement to ensure the security of patient information. Covered entities need to document their risk analysis plans and update those plans at least every three years (though many HIPAA advisors recommend updating annually), and whenever there is an environmental or operational change in the organization. In addition, covered entities must show an active, documented plan to manage and reduce risks, and clearly indicate which area of the organization is responsible for risk analysis and management, whether it be Compliance, Information Technology, or another department. Finally, the covered entity must evaluate compliance with the administrative, physical and technical safeguards set forth in the Security Rule.

Privacy Rule Compliance
The Privacy Rules establishes standards to protect medical records and other personal health information by setting limits on the uses and disclosures of such information, and gives patients rights over their health information. To prepare for a HIPAA audit, each covered entity should review its privacy policies and procedures to ensure that the policies are in compliance, as are the actual practices of the covered entity and its staff. In addition, the HIPAA Omnibus Rule required all covered entities to update their Notices of Privacy Practices by September 23, 2013. Accurate and adequate documentation is the key to demonstrating compliance with the HIPAA Privacy Rule. Any records involving HIPAA policies, training, breaches, sanctions, etc. should be maintained and readily available in preparation for an OCR audit.

Breach Notification Rule Compliance
The Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of patient information. Every covered entity must have breach policies and procedures in place that comply with HIPAA and relevant state confidentiality and privacy laws. For each breach or other security incident, covered entities need to show auditors documentation of completed breach risk assessment, and documentation of notification to individuals, the Office of Health and Human Services, and the media (if applicable), as well as any law enforcement delays placed on the required notifications.

What to Expect in a HIPAA Audit

As of May 2015, the OCR confirmed that it is in the process of verifying covered entity contact information,(2) indicating that Phase 2 audits could begin at any time. In addition to an unknown number of onsite audits, which will last between three and ten days, the OCR anticipates conducting about 200 offsite audits, which will be paper review only, and of limited scope. When the audits finally begin, the best way for a covered entity to respond is to provide all documentation needed to demonstrate compliance in the manner and timeframe requested, and to clarify any documents that are not clear on their face.

While the main goal of these audits is compliance improvement, if any serious compliance issues exist, the audit may result in an enforcement action. Such enforcement actions have increased recently, with over $10 million paid in settlements in 2014. As the OCR gains more financial resources through collecting settlements, the number of audits will only increase in the future. Privacy attorney Adam Greene, a former the OCR employee, stated that he has heard anecdotally that the OCR has a significant pipeline of unprecedented settlement agreements and potentially record-breaking financial penalties.(3)

In addition to potential Federal penalties for non-compliance, the HITECH Act gave state Attorneys General authority to enforce HIPAA rules by bringing actions in state court on behalf of state residents. The Massachusetts Office of the Attorney General has taken advantage of this opportunity, resulting in recent settlements of $40,000 and $100,000 by two large Massachusetts hospitals as a result of stolen laptops containing patient information.

Additional Resources for Covered Entities

Now is the time for covered entities to prepare for a possible Phase 2 HIPAA audit. Below are a series of resources that covered entities can use to ensure that their policies, procedures and documentation are in compliance and will withstand the scrutiny of an OCR audit.

HIPAA Audit Protocol

HHS Security Risk Assessment

OCR Security Risk Analysis Guidance

Guide to Privacy and Security of Electronic Health Information, The Office of the National Coordinator for Health Information Technology

About the Author

Kelly McGee

Kelly McGee is a Rhode Island attorney providing general corporate and regulatory legal services, as well as strategic advice, to healthcare clients. You can find her on LinkedIn.


Health Law



Research Misconduct


This website presents general information about Summit Health Law Partners and is not intended as legal advice nor should you consider it as such. You should not act upon this information without seeking professional counsel.

Please note that contacting Summit Health Law Partners by email, telephone or facsimile will not establish an attorney-client relationship, obligate us to act as your attorney or impose an obligation on either the law firm or the receiving lawyer to keep the transmitted information confidential. Completion of Summit Health Law Partners' new client intake protocol, including without limitation the firm’s conflicts checking process and an engagement letter, is necessary to establish an attorney-client relationship. Absent a current attorney-client relationship with Summit Health Law Partners, any information or documents communicated or transmitted by you to Summit Health Law Partners will not be treated as confidential, secret or protected in any way. If you are not a current client of Summit Health Law Partners, please do not send any confidential information to us through this website or otherwise concerning any potential or actual legal matter you have. Before providing any confidential information to us, you must obtain permission to do so from one of the firm’s lawyers. By clicking "Accept," you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us unless we already represent you or unless we have agreed to receive limited confidential material/information from you as a prospective client.

If you would like to discuss becoming a client, please contact one of our attorneys to arrange for a meeting or telephone conference. If you wish to disclose confidential information to a lawyer in the firm before an attorney-client relationship is established, the protections that the law firm will provide to such information from a prospective client should be discussed with the firm attorney before such information is submitted. Thank you for your interest in Summit Health Law Partners.