Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherBrowse by ChannelAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

OCR Releases Updated Audit Protocol

By Marcy Wilder, Paul Otto & Madeline Gitomer on April 4, 2016
Email this postTweet this postLike this postShare this post on LinkedIn

hhs_logo_largeThe revamped audit protocol for the upcoming HIPAA Phase 2 audits has been released by the US Department of Health and Human Services Office for Civil Rights (OCR).  The audit protocol, which is posted on the HHS website, includes new requirements added by the 2013 Omnibus Final Rule for HIPAA covered entities and business associates.  The Phase 2 audits will be more focused, and the stakes will be higher: the agency has indicated that audits may, in certain circumstances, lead to full compliance reviews—with the potential for fines or settlement agreements related to alleged HIPAA noncompliance.  In addition, business associates will be subject to HIPAA audits for the first time.

The new audit protocol represents the agency’s effort to provide a more comprehensive and detailed guide to OCR’s enforcement and audit approach.  The protocol has been expanded to cover more HIPAA provisions than the one used during Phase 1 audits.  In addition, the documentation requirements associated with specific HIPAA provisions now frequently include a list of specific criteria that will be considered in evaluating compliance with that provision.

OCR kicked off the Phase 2 audit program last month, and has been contacting covered entities and business associates that are candidates for inclusion in the Phase 2 HIPAA audits in order to obtain and verify contact information.  OCR has put covered entities on notice that they should be on the lookout for this communication (e.g., checking junk or spam email folders for emails from OSOCRAudit@hhs.gov).  Once contact information is verified, the agency will distribute short questionnaires, seeking additional business information about potential audit candidates (e.g., number of locations, number of hospital beds, list of business associates).  Upon compiling that information, the agency will select which entities it will audit. OCR has stated that it will not audit entities with an open OCR HIPAA investigation or that are currently undergoing a compliance review.

The Phase 2 audits will be primarily “desk audits,” in which entities will be required to submit documentation electronically, in accordance with tight deadlines (expected to be ten business days).  Additionally, OCR has suggested that there may be a limited number of on-site audits included as part of Phase 2.  The agency has not yet determined whether entities subject to such audits will be pulled from the pool of entities subject to desk audits or from the broader pool of potential audit candidates the agency has identified.

Photo of Paul Otto Paul Otto
Read more about Paul OttoEmail
  • Posted in:
    Privacy & Data Security
  • Blog:
    HL Chronicle of Data Protection
  • Organization:
    Hogan Lovells

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Resource Center
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101

New to the Network

  • Tennessee Insurance Litigation Blog
  • Claims & Sustains
  • New Jersey Restraining Order Lawyers
  • New Jersey Gun Lawyers
  • Blog of Reason
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo