The Long Anticipated HIPAA Audits Are Here!

Miller & Martin PLLC Alerts | July 19, 2016


by Christie Kizer Burbank

Phase 2 HIPAA Audits, which the Department of Health and Human Services' Office of Civil Rights ("OCR") announced had "launched" back in March of this year, have now officially begun. On Monday, July 11, 2016, the first round of 167 covered entities (which include health plans, health care providers and health care clearinghouses) received desk audit letters via e-mail requesting that they submit certain documents evidencing HIPAA compliance through a portal on the OCR website by July 22, 2016.

These desk audit letters were sent from to e-mail addresses provided by covered entities during the pre-audit phase of the program or otherwise recorded by the OCR. Individuals responsible for maintaining these designated e-mail addresses should add to their address book and carefully review not only their inbox, but also their junk e-mail and SPAM folders to determine if any audit information has been received.

Each covered entity selected for a desk audit will receive two communications from OCR. The first e-mail includes the desk audit document request, information about the 10-day timeline for response, and the link to a secure portal for submitting responsive documents. The second e-mail provides information about an upcoming informational webinar for auditees and asks the covered entity to provide a list of its business associates. Desk audits of business associates are scheduled to follow in the fall.

The Phase 2 desk audits are designed to determine whether the covered entity has appropriate documentation demonstrating its compliance with certain requirements of the HIPAA Privacy, Security, and Breach Notification rules. Specifically, the desk audits will ask covered entities to provide documentation of compliant policies governing:

  • The content and electronic provision of the Notice of Privacy Practices;
  • The individual's Right to Access PHI records;
  • The timeliness and content of Breach Notifications; and
  • The covered entity's Security Risk Analysis and general Security Risk Management

These compliance areas were selected by OCR as areas of focus because pilot audit programs and other OCR enforcement activities have identified them as frequent areas of noncompliance.

If you have received a desk audit letter from OCR or have any questions about the desk audit process, please contact Christie Kizer Burbank or any other member of our Health Care Practice Group.


Related Practice Areas