In connection with this second phase of HIPAA audits, OCR released an updated audit protocol that identifies potential areas of audit inquiry. To prepare for a possible HIPAA audit, covered entities and business associates should review their compliance with HIPAA’s Rules and make any necessary changes. OCR’s audit protocol can be used as a guide for self-audits of HIPAA compliance.
Also, even if a health plan or business associate is not selected for a Phase 2 audit, it is still important to remain prepared for a HIPAA compliance review—OCR will likely continue its enforcement efforts after the Phase 2 audits are complete.
Audit Protocol
OCR published an audit protocol to provide clarity on the HIPAA standards that auditors may assess during an audit. OCR first made its HIPAA audit protocol available in 2012 in connection with its pilot audit program. In 2016, OCR released an updated audit protocol, which includes changes made by the HIPAA Omnibus final rule from 2013.