The Office for Civil Rights Announces Phase 2 HIPAA Audits

The Office for Civil Rights Announces Phase 2 HIPAA Audits

May 15, 2014

On March 31, 2014, the Office for Civil Rights (OCR) finally provided insight into its plans for the upcoming Phase 2 HIPAA Privacy, Security, and Breach Notification audits1 The new program bears little resemblance to the earlier audits, thus all Covered Entities (CEs) and Business Associates (BAs) should be taking action. The OCR announced it will conduct the audits itself, rely solely on the offsite review of evidence rather than onsite inspections, shift the focus to target high-risk areas instead of covering all HIPAA requirements, and audit significantly more organizations than in the previous phase.

How will Phase 2 be different?

Selection Process

The OCR plans to randomly audit 350 CEs (232 providers, 109 health plans and 9 clearinghouses), from October 2014 through June 2015. Starting in 2015, 50 BAs will be randomly audited as well, which include 35 “IT related” BAs (e.g., cloud/data hosting, etc.) and 15 “non-IT related” BAs (e.g., TPAs, claims processing, etc.). In order to select the 350 CEs, the OCR will contact a larger group of 550-800 CEs during the summer of 2014 and require those CEs to complete an online “pre-audit survey” to provide information regarding their size, location, services and contacts. These CEs also will be required to provide contact information for each of their BAs. The CE audit participants will be selected from that larger group while the BA audit participants will be selected from the group identified by those CEs.

Audit Scope

These audits will have a much narrower focus. For the 350 CEs, 100 CEs will be audited on the Privacy Rule, “[patient] notice and access”; another 100 distinct CEs on the Breach Notification Rule, “content and timeliness of notifications”; and yet another 150 distinct CEs on the Security Rule, “risk analysis and risk management.” The 50 BA audits will focus on “risk analysis and risk management” as well as “breach reporting to CE” practices. The OCR will then conduct more audits later in 2015 (projected), which more than likely will focus on topics such as ePHI transmission security, device/media controls, privacy safeguards and training efforts. Furthermore, during 2016, the OCR will conduct additional audits focusing on higher risk security topics such as encryption and decryption, facility physical access controls, and other areas of high risk identified by the audit process, breach reports and complaints.

Audit Process

  • Notification: The OCR will begin sending notification and data request letters beginning this fall.
  • Data request: After receiving their notification letters, CEs and BAs will have two weeks to respond to initial data requests. The OCR will not consider data sent after that period, thus CEs and BAs will need to ensure their documentation and evidence is in order and readily available.

1As presented by the OCR during “OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2,” at the 2014 Compliance Institute hosted by the Health Care Compliance Association.

  • Desk audits”: The OCR staff will conduct audits remotely through “Desk Audits,” as opposed to earlier audits in which contractors were physically onsite. The auditors will use an updated audit protocol that will reflect Omnibus changes and will include more specific test procedures. Updated audit protocols are anticipated to be made available on the OCR’s website but a corresponding date has not yet been finalized. Audit participants will not have the opportunity to provide clarification (either verbally or in writing) or provide any supplemental information after their initial response. CEs and BAs will need to ensure their initial response is comprehensive but also easily understandable.
  • Report: Prior to the finalization of the audit findings, the OCR will present the organization with a draft version of the report to allow management review prior to publishing the final report. However, while the OCR may take feedback into consideration, this is not to be interpreted as a secondary data request, nor an opportunity for the audit participant to provide supplemental information.

What should you do?

Prepare for compliance instead of responding to audits

It is important that your organization does not adopt a mindset of trying to prepare solely for passing an audit. You should continue with your journey of enhancing compliance practices and continually improving organizational awareness. Your organization should focus on protecting the privacy and security of patient information and reducing the probability of a breach. Passing an audit should be the by product of an effective compliance culture, rather than your target or goal. While OCR audits can be painful and time-consuming, they pale in comparison to what your organization may endure in the event of a breach. At a minimum, your organization should be undertaking the following initiatives, which are all required by HIPAA and should not be considered optional:

  • Ensure that security, privacy, and breach policies and procedures are documented and regularly reviewed/updated.
  •  Maintain a repository containing all BAs affiliated with your organization. Also, ensure that the business associate agreements (BAAs) have been updated to reflect Omnibus changes. BAAs should be stored and organized in a manner that you can appropriately manage, review and maintain, and facilitate your ability to provide an inventory of the organizations you consider BAs when the OCR requests them.
  • Perform an evaluation of your organization’s compliance program including the Privacy, Security, and Breach Notification requirements. Review for appropriate policies and procedures, assess the sufficiency of your practices, evaluate the detail of your supporting documentation, and perform corroboration activities where necessary. Ensure the evaluation assesses your compliance with all applicable HIPAA regulatory requirements, identifies areas that may be lacking and develops remediating action plans.
  • Ensure that a security risk analysis is regularly performed by your organization and that it adheres to the requirements set forth in the HIPAA Security Rule (refer to the OCR’s “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”). While the Department of Health and Human Services (HHS), which oversees the OCR, has released a security risk assessment tool, be very cautious in your use of this tool. HHS and OCR have stated that the tool will not guarantee compliance and that it is to be used primarily by small provider practices. 

As the healthcare industry continues to experience increased scrutiny and the volume of breaches expands on a seemingly daily basis, your HIPAA compliance practices become increasingly important as well. Make sure your organization is implementing the proper practices to create a culture of compliance and is taking the necessary steps to protect the PHI in your environment appropriately.

This flash report is based on information available from the OCR as of May 2014, as well as our subjective interpretation of various aspects of that information, and the details outlined herein are subject to change at the discretion of the OCR.

© 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

About Protiviti

Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

About Our HIPAA Practice

Our healthcare professionals have assisted numerous clients since HIPAA’s inception and we share knowledge gained from decades of experience with our clients. Protiviti is particularly well-suited to deliver assessments and provide solutions that reflect an appreciation for the full lifecycle of developing and maintaining a holistic, risk-based approach to HIPAA compliance for your organization.

Susan Haseley

Managing Director



[email protected]

Richard Williams

Managing Director



[email protected]

Alex Robison

Managing Director



[email protected]

Kyle Furtis

Managing Director

New York City


[email protected]



Ready to work with us?