Health Care Institute Logo



  Health Care Institute News and Insights

Phase 2 of HIPAA Compliance Audits Set to Begin in 2016

  by Megan Headley | January 05, 2016

Another survey-style program— requiring dedicated time, effort and resources for working with auditors — may be heading soon to your environments of care. The Department of Health and Human Services’ (DHHS) Office for Civil Rights (OCR) has announced that Phase 2 of its audit program assessing compliance with the HIPAA Privacy Rule is set to begin in early 2016.

OCR enforces the HIPAA Privacy Rule, which protects the privacy of patients’ health information. The audit program is intended to help OCR more proactively identify incidents of noncompliance among covered entities (which includes health plans, health care clearinghouses, and health care providers that transmit health information in electronic form in connection with a HIPAA-covered transaction). According to a recent report from DHHS’ Office of Inspector General (OIG), the organization currently takes a more reactive approach, typically only investigating violations reported by patient complaints, tips or media reports.

OCR launched Phase 1 of its pilot audit program in 2013, during which it determined that the two most common types of noncompliance were related to the standard on restricting uses and disclosures of protected health information and the standard on implementing safeguards. In a letter responding to the OIG report (included in the OIG report as Appendix C), the OCR notes that Phase 2 of its audit program “will test the efficacy of the combination of desk reviews of policies as well as on-site reviews; it will target specific common areas of noncompliance; and it will include HIPAA business associates.” However, the OCR response also states that the scope of the audit program will depend in part on the availability of resources.

To ensure your compliance, review DHHS’ information current requirements for the audit program by visiting