Office of Civil Rights Phase 2 HIPAA Audit Protocols

Posted by Gerry Blass


Several healthcare organizations have recently reported that the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has sent preaudit screening surveys to a select number of Covered Entities (CEs) with the intention of starting their second phase of audits. The OCRs Phase 2 Audits will focus on an organizations’ compliance with HIPAA Privacy, Security, and Breach Notification rules, mandated by the HITECH Act and Omnibus final rule.


Up until this point, phase 1 audits have included an analysis of a CEs compliance with HIPAA.  An objective of the second phase of audits will be expanded to include Business Associates (BAs). This expansion was hinged upon the passing of the Omnibus Final Rule in 2013, which legally holds BAs responsible to the same HIPAA compliance regulations as a CE.

A second objective of the OCRs phase 2 audits is to view an organizations’ compliance using a revised approach. In the past, a comprehensive review of the HIPAA standards were conducted but, phase 2 will narrow the focus of an audit to what the OCR believes to be a “high risk” areas of protected health information (PHI).

A third objective of these audits will be to identify best practices, uncover risks, and expose vulnerabilities that may have been missed during phase 1. Phase 2 audit findings will identify technical assistance that should be developed for all healthcare organizations and in cased where an audit reveals serious compliance concerns, the OCR could make the decision to impose civil monetary penalties.

Phase 2 Selection and Scope

Based on prior statements from the OCR and their recently distributed survey, the pool of audit candidates will be approximately 800 to start. These randomly selected organizations will be chosen using the National Provider Identifier database and other external sources.

The OCR has said that based on the survey responses, it will select approximately 350 covered entities, including 232 health care providers, 109 health plans and 9 health care clearinghouses, for Phase 2 Audits. The OCR will then notify and send data requests to the 350 selected covered entities. The data requests will ask the covered entities to identify and provide contact information for their business associates. The OCR will select the business associates that will participate in the Phase 2 Audits from this pool. The OCR had previously indicated that compliance audits of business associates would begin in 2015 and continue into 2016, but this timeframe will likely be pushed back based on the delay in the Phase II Audits of covered entities.

Audit Types

In months leading up to the OCR’s Phase 2 Audit kickoff, a different auditing style was introduced. The OCR is moving to an offsite approach entitled “desk auditing.” Although in recent weeks, the OCR has stated most of the Phase 2 Audits will be of the desk variety but comprehensive onsite audits will be scheduled as well.

In order for organizations to comply with the phase 2 updates, the OCR will be posting their phase 2 protocol on its website in the near future. The audits will focus on the more delinquent phase 1 findings such as; risk analysis, risk management, content and timeliness of breach notification, notice of privacy practices, individual access, the Privacy Standards reasonable safeguards requirement, workforce member training, device and media controls, and transmission security. As the Phase 2 Audits progress, a new focus will be centered on Security Standards; encryption and decryption, facility access control, breach reports and complaints, as well has the previously mentioned areas.

BA Phase 2 Audits will have an emphasis on safeguards such as risk analysis, risk management and breach reporting to CEs.

Once an audit is complete, the OCR will turn over a draft report to the organization. The organization will then have a chance to submit a management response. The OCR will take all management responses into account before the report is finalized.

Steps to Prepare for an Audit

An OCR Phase 2 Audit could consist of the following items. CEs and BAs should confirm that:

  • their organization has policies and procedures that cover all three rules and are audited, reviewed and updated on a consistent periodic basis and when there are changes to the organization and / or the rules.
  • their organization has recently completed a Risk Assessment to review appropriate safeguards are in place for PHI in any form (e.g. electronic, paper, and verbal)
  • all action items identified in the Risk Assessment have been completed or are in the process of being complete
  • their organization has a complete inventory of business associates and their contact information
  • their organization has documented safeguards for all addressable security standards and documented the reasons why unaddressed items have not been appropriately implemented
  • their organization has implemented a breach notification policy aligns with the Breach Notification Standards
  • workforce members have received training on the HIPAA Standards that are necessary or appropriate for workforce members to perform their job duties
  • their organization has a readily available Notice of Privacy Practices compliant with the Omnibus Final Rule
  • their organization maintains an inventory of information system assets, including mobile devices
  • all systems and software that transmit electronic PHI employ encryption technology, or that the organization has a documented risk analysis supporting the decision not to employ encryption
  • their organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan

About The Author    

Gerry Blass is the President & CEO of ComplyAssistant. Gerry has over 35 years of experience in healthcare IT and compliance. ComplyAssistant provides IT and compliance consulting services and software, also called ComplyAssistant. The software is a compliance management cloud portal that provides guidance, organization and collaboration alerts and notifications for more effective management and documentation of healthcare compliance activities.

To learn more visit our healthcare cybersecurity services page, healthcare compliance software page, or HIPAA compliance software page.

Business Associates, Business Associates Compliance, Healthcare Compliance, HIPAA-HITECH, Information Security Risk Analysis, Information Security Risk Management, OMNIBUS, Workforce risk