On March 21, 2016, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced that it has begun the second phase of its HIPAA Audit Program. The HIPAA Audit Program is intended to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

In this second phase, OCR will review the HIPAA policies and procedures that each covered entity and business associate is required to adopt as part of its HIPAA compliance scheme. The HIPAA policies and procedures must describe the standards and implementation specifications adopted by a covered entity or a business associate to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

In its announcement, OCR states that the second phase of the HIPAA Audit Program will begin with data verification and an email being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner. OCR will then transmit a pre-audit questionnaire to gather data from the covered entity or business associate. This data will be used with other information to create an audit subject pool.

While OCR acknowledges that its email may unintentionally be directed to an entity’s spam folder, it will not accept that as an excuse for not responding. Rather, OCR expects covered entities and business associate to check their junk or spam email folders for emails from OCR.

OCR will post audit protocols on its website closer to conducting the 2016 audits. To learn more about the second phase of OCR’s HIPAA Audit program, you can visit HHS’s website.