Close Server: KOPWWW05 | Not logged in


Phase 2 HIPAA Audits

Healthcare providers and business associates that receive an email from the OCR should not ignore it.

Healthcare providers and their business associates should be on the lookout for an email from the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) requesting the recipient to verify its contact information.

Healthcare providers and business associates that receive an email from the OCR should not ignore it.

By now, every healthcare provider knows that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) established the minimum standards for the privacy and security of protected health information (PHI). 

The HIPAA statute delegated the responsibility for implementing HIPAA to the OCR.  As part of that responsibility, the OCR developed the HIPAA privacy and security rules that apply to covered entities (healthcare providers, healthcare plans, and healthcare clearing houses) and their business associates.  The OCR's HIPAA Audit Program is part of its enforcement process and provides it an opportunity to examine the various mechanisms for HIPAA compliance, identify best practices, and to discover risks and vulnerabilities that may have gone undetected during the OCR's complaint investigations and compliance reviews.

Until now, most covered entities and business associates knew of the OCR's enforcement efforts primarily through complaint investigations and data breach reports.  The Phase 2 HIPAA audit program is more proactive and will reach a significantly larger number of covered entities and business associates.  If your organization has not done so already, now is an excellent time for every organization to examine its compliance program and its HIPAA risk assessment.

At this point in the Phase 2 HIPPA Audit Program, the OCR is only verifying the contact information for covered entities and business associates.  Once the OCR verifies the contact information, it will be sending pre-audit questionnaires to gather additional data on the size, type, and operations of the covered entities and the business associates.  The OCR will use the information gathered through that process to establish the pool of entities subject to audit.

The fact that the OCR is sending emails requires covered entities and business associates to use additional caution.  Every entity receiving an email purporting to be from the OCR should verify the email is from the OCR before opening it.  No doubt the unscrupulous individuals engaged in hacking, identity theft and fraud will be sending phony emails masquerading as the email from the OCR.   The OCR website has a sample of the letter the OCR will be sending by email, which may be helpful in distinguishing legitimate OCR emails from phony emails.

Unfortunately, covered entities and business associates cannot escape the audit simply by ignoring or refusing to respond to the OCR's email.  The OCR announced that it will use publically available information to verify the information of entities that do not respond to the OCR email.  The OCR also said that it expects covered entities and business associates to check their junk or spam email folders for the OCR email, if those entities automatically enable their spam filtering and virus protection programs.

Covered entities and business associates that have not touched their HIPAA policies and procedures since 2002 should take heed and update their policies, procedures, and forms immediately.  In 2015, the OCR fined a radiation oncology practice $750,000 due to its widespread noncompliance with HIPAA including the lack of a policy for the removal of electronic media from the practice.  The off-the shelf HIPAA compliance packages many covered entities bought in the early 2000s definitely do not include any of the changes enacted by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).  Those old generic HIPAA manuals also rarely include any type of compliance program, self audit provisions, or HIPAA risk assessment provision.  The OCR will definitely be looking for all of those as part of the Phase 2 Audit Program. 

Covered entities and business associates can anticipate receiving an email from the OCR.  Those entities should not ignore an email from the OCR, but should be cautious about opening any email.  Those entities should also reexamine their compliance programs and risk assessments before the OCR discovers a deficiency.

Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla.  This article is for general information only and is not a substitute for formal legal advice.

Legally Speaking Archives


Email: *

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First * Last
Title Field Facility
City State

Comments: *
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Fields marked with an * are required.


Back to Top

© 2017 ADVANCE Healthcare, an Elite CE company