HHS Launches HIPAA Audit Program

The Department of Health and Human Services (HHS) announced that it has launched the second phase of its HIPAA audit program, which focuses on compliance with HIPAA’s Privacy, Security and Breach Notification Rules.

Drawing on its experience from the pilot audit program, OCR is implementing the second phase of its HIPAA audit program, which covers both covered entities and business associates. As part of this program, OCR is developing enhanced protocols (sets of instructions) to be used in the next round of audits and pursuing a new strategy to test the effectiveness of desk audits in evaluating HIPAA compliance.

An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

HHS’ Office for Civil Rights (OCR) has already started sending emails to covered entities and business associates to verify their contact information. Next, OCR will send a pre-audit questionnaire to gather data about potential auditees. OCR will use this data to select covered entities and business associates for audits.  OCR will post updated audit protocols on its website closer to conducting the 2016 audits. The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.

According to OCR, these HIPAA audits are primarily a compliance improvement activity. However, if an audit reveals a serious compliance issue, OCR may initiate a compliance review to investigate.

Action Steps

To prepare for a possible HIPAA audit, covered entities and business associates should review their compliance with HIPAA’s Privacy, Security and Breach Notification Rules.

Read More»

For more information on HIPAA or Compliance audits please contact our Compliance Department.




The information provided herein is intended solely for the use of our clients. You may not display, reproduce, copy, modify, license, sell or disseminate in any manner any information included herein, without the express permission of the Publisher or Publishers of articles within.

The information provided is for informational purposes only and does not constitute legal advice. The information above contains only a summary of the applicable legal provisions and does not purport to cover every aspect of any particular law, regulation or requirement. Depending on the specific facts of any situation, there may be additional or different requirements. This is to be used only as a guide and not as a definitive description of your compliance obligations.