Next Stage of DHHS Audits Coming: HIPAA & HITECH Act Blog by Jonathan P. Tomes


The U.S. Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) has not yet published an audit protocol for this year’s Phase 2 Audits, following last year’s initial audits. It has, however, published a notice in the Federal Register titled “Agency Information Collection Activities; Proposed Collection; Public Comment Request.” The notice seeks comments from the public regarding the burden estimate of the information collection request (“ICR”) or any other aspect of the ICR.

The information collection consists of a survey of up to 1,200 HIPAA covered entities and business associates to determine eligibility for the audit program. OCR will use the information gathered to assess the size, complexity, and fitness of a respondent for an audit. Such information includes number of patient visits, numbers of insureds, use of electronic information, revenue, and business locations.

OCR will audit about 150 of the 350 selected covered entities and 50 of the selected business associates for compliance with the Security Rule, 100 covered entities for compliance with the Privacy Rule, and 100 covered entities for compliance with the Breach Notification Rule. OCR will begin the Phase 2 Audits of the covered entities by sending the data requests this fall and then begin the Phase 2 Audits of the business associates in 2015.

The Phase 2 Audits will differ from the Phase I Audits previously conducted in several ways. First, unlike Phase I, Phase 2 will include business associates in such audits. Second, Phase 2 will focus on areas of greater risk to the security of protected health information (“PHI”) and pervasive noncompliance as identified in Phase 1. Finally, unlike Phase 1 audits, Phase 2 audits will be a desk audit rather than an onsite audit.

The following deficiencies were prevalent in the Phase 1 audits:

  • No or insufficient risk analysis.
  • Deficient breach notification.
  • Deficient notices of privacy practices.
  • Insufficient device and media controls.
  • Poor transmission security.

OCR notes that its covered entity audits will also focus on encryption requirements, facility access control, breach reports, and complaints, perhaps among other areas. Audits of business associates will focus on risk analysis and management and breach reporting to covered entities.

These Phase 2 Audits do not really add anything new to what we at Veterans Press and EMR Legal have been stressing for years now:

  • Conduct a thorough written risk analysis and, if you have already conducted one, update it.
  • Ensure that you have appropriately trained your workforce and documented it.
  • Ensure that you have reasonable and appropriate safeguards in place for all PHI, including all necessary policies.
  • Ensure that you have a procedure for handling security incidents, including a breach notification policy.

Of course, once OCR has published the audit protocol, we will digest it, explain it, and post a link here on our blog.

Are you audit ready? Are you sure? Have you performed/updated your required risk analysis under HIPAA? Have you trained your workforce and documented that training in writing? Have you drafted, adopted, implemented, and enforced all of the required, addressable, and optional policies and procedures that you need? Have you documented in writing why you have or have not done so? Do want to get your organization HIPAA compliant in one fell swoop? Call our marketing director, Patrick R. Head II, toll-free at 855-341-8783 or email him at While you are talking with Patrick, ask him about our upcoming two-day Hands-on HIPAA Workshop aboard the Queen Mary anchored in Long Beach, California, October 16-17, 2014. We would like to have you join us.

seo by: k.c. seo