August 3, 2021

Volume XI, Number 215


August 02, 2021

Subscribe to Latest Legal News and Analysis

Phase 2 of the OCR HIPAA Audit Program Already Underway

On March 21, 2016, the Department of Health and Human Services, Office for Civil Rights (OCR) announced the launch of the long-awaited Phase 2 HIPAA Audit Program (Phase 2), and OCR activities related to Phase 2 are already underway. Phase 2 will consist primarily of desk audits, but will include some onsite audits, and both Covered Entities and Business Associates will be selected for audit. Shortly after its announcement, OCR released an updated protocol for Phase 2, which replaces the original protocol used in the pilot audit program and provides some insight into what the auditors will be focusing on in Phase 2. The following is a brief description of the Phase 2 audit process and what Covered Entities and Business Associates should expect.

1. Verification of Contact Information. Communications from OCR were sent via email to select entities to obtain and verify contact information. OCR has warned that these emails may be incorrectly classified as spam and expects entities to check their junk or spam folders for communications from OCR. An entity's receipt of the contact information verification communication from OCR does not mean that the entity has been selected for an audit. These communications are merely part of OCR's information gathering efforts to create the eligible pool from which to select entities for audit. Click here to view a sample email letter. 

2. Audit Pre-Screening Questionnaire. Entities that receive the contact information verification communication from OCR, may also then receive an Audit Pre-Screening Questionnaire with questions tailored to whether the entity is a Covered Entity Health Care Provider, Health Plan or Healthcare Clearinghouse or whether the entity is a Business Associate. To reiterate, receipt of the Audit Pre-Screening Questionnaire does not mean that the entity has affirmatively been selected by OCR for an audit. Rather, the questionnaire will be used by OCR to help ensure that the audit pool (and eventually the entities selected for audit) represents the diverse spectrum of types of Covered Entities and Business Associates (for instance, by type of provider, type of service rendered, and size of entity). The full questionnaire can be accessed at the link provided above. However, note that OCR is asking Covered Entities to identify their Business Associate relationships, which OCR will then use to create the pool of potential Business Associate auditees. Covered Entities are encouraged to develop a list of their Business Associates in a form or format similar to the sample template provided by OCR. A sampling of the questions on the Audit Pre-Screening Questionnaire is provided below:

  • Entity Type (public or private?)

  • Entity locations (single location or multi-location?)

  • Organizational structure (affiliated, owned or controlled by another organization?)

  • What is the approximate total revenue for the most recent fiscal year?

  • If a Health Care Provider:

    • Are you a Covered Entity?

    • Do you maintain or transmit Protected Health Information in electronic format?

    • How many patient visits in the prior fiscal year?

    • How many patient beds?

    • Number of clinicians on staff or with privileges?

  • If a Health Plan:

    • What is the total number of members within your health plan?

    • What is the total number of members within your health plan?

  • If a Healthcare Clearinghouse:

    • Total number of transactions processed monthly?

    • Current number of healthcare providers, health plans, and other entities served?

  • If a Business Associate:

    • What types of Covered Entities do you provide services for?

    • Do you perform business associate functions in more than one state?

Following its receipt of the completed Audit Pre-Screening Questionnaires, OCR will then select the entities that will be audited. Notably, OCR has advised that failing to respond to a verification of contact information request or failing to complete the Audit Pre-Screening Questionnaire will not remove the entity from the potential audit pool. Auditers will be randomly selected from the audit pool; however, OCR has publicly posted that entities with an open complaint investigation or that are currently undergoing a compliance review, will not be selected for a Phase 2 audit.

3. Desk Audits. After OCR selects the auditees, OCR will first perform desk audits of Covered Entities and then will replicate the desk audit process for Business Associates.

  • Topics: Desk audits will be limited in scope and will focus on the following topics: risk analysis, risk management, notice of privacy practices, an individual's right to access his/her Protected Health Information, and breach notification letters (looking at both content and timeliness).

  • Information Request: Audited entities will have 10 days from the date of the information request to respond to OCR, and entities must submit their response and relevant documentation online using a new secure audit portal on OCR's website. OCR states that all documents must be in digital form and submitted electronically via this portal.

  • Findings: After OCR receives the documents from the audited entity, an auditor will review the information and provide draft findings. Auditees will have 10 business days to review and return written comments, if any, to the auditor. The auditor will complete a final audit report for each entity within 30 business days after the auditee's response. OCR will share a copy of the final report with the audited entity.

  • Timeline: Desk audits are scheduled to be complete by the end of December 2016.

4. Onsite Audits. After the conclusion of desk audits, OCR will complete onsite audits of selected Covered Entities and Business Associates, some of which may be entities that went through the desk audit process. Similar to desk audits, entities will be notified via email of their selection for an onsite audit.

  • Topics: Onsite audits will be more comprehensive than desk audits and cover a wider range of requirements under HIPAA.

  • Timeframe: Each onsite audit will be conducted over 3 to 5 days onsite, depending on the size of the entity.

  • Findings: Entities will have 10 business days to review the draft findings and provide written comments to the auditor. The auditor will complete a final audit report for each entity within 30 business days after the auditee's response. OCR will share a copy of the final report with the audited entity.

5. Post-Audit Findings. OCR has indicated that its primary purpose in conducting the Phase 2 audits is to better understand Covered Entity and Business Associate compliance efforts related to certain aspects of the HIPAA regulations and not to bring enforcement actions. However, OCR has reserved the right to initiate a compliance review against an audited entity if the audit uncovers a serious compliance issue. OCR intends to use its audit findings to identify the types of technical assistance OCR should develop and the types of corrective action that would be most helpful. Through the information gleaned from the audits, OCR will also develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches. OCR will not publicly post the identity of the audited entities and the individual findings; however, some information, such as the audit notification letters, may be requested and made available to individuals under the Freedom of Information Act (FOIA).

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume VI, Number 124

About this Author

Lisa J. Acevedo, Polsinelli, HIPAA Compliance Lawyer, Health Privacy Matters Attorney

Lisa Acevedo provides strategic counsel in the areas of federal health privacy laws, including HIPAA, as amended by the HITECH Act, FERPA, the Confidentiality of Alcohol and Drug Abuse Treatment Records Regulation, as well as state laws governing the confidentiality of health information, medical records, mental health records, and records containing other highly sensitive information. She has assisted clients through security breaches and the notification process, both at the federal and state levels.   

She guides clients through the...

Erin Fleming Dunlap, Polsinelli, Compliance Matters Attorney, Health Insurance Portability Lawyer,

Erin Dunlap is proactive and quick to respond to clients' needs. She regularly advises health care clients on legal and regulatory compliance matters. She also has a litigation background that enables her to assist clients when things do not go as planned, such as when a laptop containing patient information is stolen, a patient threatens to sue for improper disclosure, or law enforcement demands the production of medical records. 

Erin focuses primarily on privacy and security issues arising under:

  • Health...


In a regulatory environment where even the most minor details matter, Rebecca Frigy Romine thrives on helping clients find practical and creative solutions and action plans.

Her practice focuses on many facets of the general health care business with a specific emphasis on the privacy and security of health information and medical staff issues.

Rebecca has significant experience in and frequently writes on these topics and remains abreast of regulatory changes and best practice.

Lindsay Dailey Health Care Privacy Attorney

Lindsay Dailey serves clients at the intersection of healthcare regulatory and privacy/data security compliance. Prior to joining the firm, Lindsay worked with the American Medical Association, American Dental Association, and Rehabilitation Institute of Chicago. This in-house experience in corporate compliance and regulatory issues serves her practice and her clients well - in fact, she spent over a year in-house secunded to the Privacy Office of a firm client, a national retail pharmacy chain. 

Lindsay graduated law school with a certificate in Health Law, and she was formerly a...


Katie Kenney specializes in HIPAA/HITECH issues and delivers particular strength in privacy, security, and breach regulatory issues for covered entities and business associates.  Prior to joining the firm, Katie worked for the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).  At OCR, she served as the subject matter expert for breach notification, assisted in the administrative rulemaking process, drafted Preamble language for the recently published Omnibus Rule amending HIPAA, and actively participated on OCR’s audit team.  Katie’s time at...