OCR launches HIPAA Phase 2 Audits and announces deadline and focus areas


The HIPAA Phase 2 Audit Program has “officially kicked into high gear” — which is how the Office for Civil Rights (OCR) put it in an announcement on July 14, 2016. We have known for some time that OCR was in the beginning stages of the Phase 2 Audits, and, yesterday, OCR formally announced that the Phase 2 Audits are underway.

OCR announced that letters were delivered on Monday, July 11, 2016, via email to 167 health plans, health care providers and health care clearinghouses being audited. Included in the letter are instructions for responding to the desk audit document requests, a timeline for response and a unique link for each selected covered entity to submit documents via OCR’s secure online portal. All relevant documents must be uploaded to the portal by July 22, 2016. Each selected covered entity will also receive a second email from OCR containing an additional request to provide a listing of business associates as well as more information about an upcoming OCR Q&A webinar for auditees.

Again, OCR cautioned that its emails may be incorrectly classified as spam in some recipients’ email systems. Covered entities should monitor their spam folders and ask their IT departments to add the OCR email (OSOCRAudit@hhs.gov) to their lists of safe senders.

The OCR announcement also contained new information regarding the substance of the desk audits.  OCR provided a list of seven requirements that will be audited during the Phase 2 Audits. Rather than auditing covered entities’ compliance with all Privacy and Security Rule requirements, the Phase 2 Audits will focus on the following selected HIPAA requirements:


OCR selected these requirements based upon the findings of the Phase 1 Audits and recent enforcement activities. OCR has found that covered entities are frequently not in compliance with these seven requirements. 

All HIPAA covered entities should take this opportunity to ensure that they are in compliance with these requirements. Policies should be compliant with the rules and should accurately reflect the organization’s actual practices. Workforce members should be fully trained on the substance of these policies. Additional documents, such as breach logs and records of requests for access, should be readily available to evidence the organization’s ongoing compliance with the requirements.

Media Contact

Subscribe to Receive Updates
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.