hipaa audits

Learn what’s involved in the Phase 2 HIPAA Audit Program and how you can prepare. 


It’s that time again! The HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates. With these audits often comes many questions from covered entities.
Here are a few commonly asked questions about the Phase 2 HIPAA Audit Program.
Tweet: Here are a few commonly asked questions about the Phase 2 #HIPAA Audit Program. http://bit.ly/2auxEeSTweet
hipaa audits

Is my organization in trouble? 

No, this audit is not the result of a whistleblower, or a possible HIPAA violation. It’s mainly for OCR to assess and gain an understanding of how healthcare providers are doing in HIPAA compliance, and if any changes need to be made.

Who’s being audited?

All covered entities and their business associates are eligible. This may include health service providers, health care clearinghouses, health plans, and many business associates of these entities.

SEE ALSO: How Healthcare Security Complacency is Killing Your Organization

When is this happening? 

If you’re being audited, you should have received your notification letters on Monday, July 11, 2016. Business associate audits will start in the fall.

How does the audit work?

OCR will do desk and onsite audits. These audits will look at compliance with specific requirements of the Privacy, Security, or Breach Notification Rules. All desk audits will be done by the end of December 2016.

For the desk audit, selected entities will be sent an email, asking for documents and other data. Once you’ve submitted your information, be prepared for an onsite audit.

The onsite audits will involve someone going to your organization and examining how your organization is complying with HIPAA. These audits will examine a broader scope of requirements from the HIPAA Rules and will be more comprehensive.

Auditees will then receive audit reports, which they can respond to any findings that were discovered in the audits. They will then receive a final report, which will describe how the audit was conducted, discuss any findings from the audit, and contain entity responses to the findings. This report should be provided 30 days after the auditee’s response.

phase 2 hipaa audits What happens after an audit?

OCR will review and analyze information from the audit reports. This will help OCR to better
understand compliance efforts within specific elements of the HIPAA Rules.

If an audit report shows a serious compliance issue, OCR may start a compliance review to investigate. OCR won’t post a list of audited entities or the results from an audit that identifies an entity, so your privacy is safe.

Do I have to pay for the onsite audit? 

No, the Department of Health and Human Services is responsible for paying the on-site auditors. Neither the entities, nor their business associates, will have to cover the costs of the audit program.

Getting ready for an audit 

Your HIPAA audit will go much smoother if you are properly prepared. Here are a couple of things to do to get ready.
  • Have documentation ready: make sure all your policies and procedures are documented and easy to access. This will save you and the auditor time. 
  • Conduct an internal audit: if you have time, conducting an internal audit is a good idea to find and resolve any problems before your onsite audit. This process begins with a HIPAA Risk Analysis.  
SEE ALSO: How to Prepare for a HIPAA Audit

If your organization has been selected, don’t worry. Make sure your organization and workforce members are properly prepared and willing to cooperate. By doing this, you’ll be helping OCR to make sure all organizations are properly protecting their patient’s data and privacy.

Need help getting HIPAA compliant? Let see what you need to do. 

SecurityMetrics HIPAA learning center
Monday, August 1, 2016