OCR Begins Random Audits for Business Associates

HIPAA data privacyThe HHS Office for Civil Rights (OCR) has announced that the Business Associate Desktop Audits will take place this month, October, 2016.

In 2011, OCR decided to expand HIPAA monitoring and enforcing to include random audits. During Phase One they initiated 115 random audits of Covered Entities (CE). Phase Two, Round one occurred in May, 2016 with OCR contacting CEs by email to determine the correct contacts for the audits. Round two consisted of emailed surveys to some of those contacts to determine size and type of the facilities. This information was used to get a sampling of CEs of all sizes and types. In Round Three, which started in July, 147 CEs were contacted by email to participate in a desktop audit by internet.  The CEs were required to answer questions and upload policies, procedures, forms, breach investigations and access requests.  The Covered Entities were given 10 business days to respond.

Phase 2, Round 3 for Business Associates Begins Now

Covered Entities who participated were required to provide a list of their Business Associates and their contact information. These lists were used to choose 40 to 50 BAs to receive a desktop audit in Round Three. Emails to the chosen BAs will most likely go out on a Monday with the final answers due by the Friday of the following week, just like the July audits.  The audits are expected to heavily focus on breach responses.  Just as with the CE audits, anyone who fails to respond within the time frame will be immediately added to the pool for Round Four: on-site comprehensive audits that are scheduled for January 2017.  Individual audit results will not be publicly posted and fines will not be levied at this time but if an audit indicates a serious compliance issue OCR may initiate a further investigation.


Action Items

Start monitoring your email, especially from anyone who has contact with your Covered Entities. The email address will probably be from: OSOCRAudit@hhs.gov

  1. Gather any documents on policies, procedures and incidents related to breaches.
  2. Make sure your personnel are trained and you have the training records.
  3. We now have a new Business Associate HIPAA Online training designated just for your business. So if you need training and want to do it online, log in to your TMC account and the BA HIPAA training will be there ready for you.


We are here to support you. If you are contacted, call our toll-free number 1-888-862-6742 or email Service@TotalMedicalCompliance.com for assistance.

We Have Tools To Help You

Business Associates Training – On-site and Online Training