HIPAA Audits are Being Expanded to Include Covered Entities and Business Associates

In late March, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) launched Phase 2 of its audit program, intended to assess compliance with HIPAA Privacy, Security, and Breach Notification Rules and the Health Information Technology for Economic and Clinical Health Act of 2009.

Phase 1 of the HIPAA Audit Program was conducted as a pilot program in 2011 and 2012, and focused on HIPAA covered entities (e.g., health plans, hospitals and other healthcare providers that are directly subject to HIPAA).

Phase 2 audits target covered entities and business associates that create, receive, maintain or transmit health information in the course of providing services for hospitals, health plans and other covered entities.

What You Should Know

  1. How does a covered entity know that they may be audited?

    The first indication that a covered entity or its business associate is being audited will be an e-mail from OCR asking to confirm the organization’s contact verification. This is very innocuous, so it is important that you not miss this early warning. OCR recommends that all covered entities and business associates check their e-mail spam filters to make certain that e-mails from OCR do not get caught up there. This level of detail indicates just how serious OCR is about the Phase 2 audit program. We recommend that all covered entities and their business associates adopt measures to detect this contact by OCR.

  2. How does a covered entity prepare and document before receiving a notice of an audit?

    Have available documentation of:

    • A Risk Assessment of potential security risks and vulnerabilities to the organization and that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion or document why (i) any such addressable implementation standard was not reasonable and appropriate and (ii) all alternative security measures that were implemented;
    • a complete inventory of business associates;
    • a breach notification policy;
    • a compliant Notice of Privacy Practices;
    • reasonable and appropriate safeguards in place for PHI;
    • workforce training on the HIPAA Standards;
    • an inventory of information system assets, including mobile devices;
    • that all systems and software which transmit electronic PHI employ encryption technology;
    • a facility security plan for each physical location that stores or otherwise has access to PHI; and
    • HIPAA security policies that may not have been completed as required.

Click here for more detailed information.


Professional Benefit Administrators, Inc. | | 900 Jorie Blvd., Oak Brook, IL 60523 | 800.435.5694

You are receiving this email because you opted in at our website or previously provided us with your contact information for the purposes of informational and marketing communications and, at no time in the past, explicitly opted out of these communications.