Phase Two HIPAA Audits Enter Round Three for Business Associates

The HHS Office for Civil Rights (OCR) is tasked with monitoring and enforcing the HIPAA regulations. While they have always conducted investigations and inspections as a result of breach incidents they plan to also pursue random audits.  To start this process they initiated 115 random audits of Covered Entities in 2011 and 2012 to test their process.  This was called Phase One.

OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. Through the information gleaned from the audits, OCR will develop tools and guidance to assist in compliance self-evaluation and in preventing breaches. Using the data from these audits, OCR began Phase Two in May, 2016. Phase Two will include both Covered Entities (CEs) and Business Associates (BAs).

In Round One, OCR contacted Covered Entities in May, by email to determine the correct contacts for the audits. In Round Two, they emailed surveys to some of those contacts to determine size and type of the facilities. This information was used to get a sampling of CEs of all sizes and types for Round Three which started in July. One hundred and forty seven CEs were contacted by email to participate in a desktop audit by Internet. The CEs were required to answer questions and upload policies, procedures, forms, breach investigations and access requests. The Covered Entities were given 10 business days to respond. In addition, all CEs who participated were required to provide a list of their Business Associates and their contact information. These lists will be used to choose 40 ton 50 BAs who will also receive a Desktop Audit.

OCR has announced that the Business Associate Desktop Audits will take place this month, October 2016. Emails to the BAs chosen will most likely go out on a Monday with the final answers due by the Friday of the following week just like the July audits. The audits are expected to heavily focus on breach responses. Just as with the CE audits, anyone who fails to respond within the time frame will be immediate added to the pool for Round Four: on-site comprehensive audits that are scheduled for January 2017. Individual audit results will not be publically posted and fines will not be levied at this time, but if an audit indicates a serious compliance issue OCR may initiate a further investigation.

Action Items

Covered Entities:

  1. Notify your Business Associates immediately!
  2. Start now preparing for the January on-site audits especially if you received any of the notices from Round One or Two by making sure your policies, procedures and forms are up-to-date.
  3. Make sure you have a current Risk Analysis and Corrective Action Plan.
  4. If you haven’t already attended one of our free webinars on the new requirements for patient access go to our website now and sign up.


Business Associates:

  1. Start monitoring your email especially from anyone who also has contact with your Covered Entities. The email address will probably be from
  2. Gather any documents on policies, procedures and incidents related to breaches.
  3. Make sure your personnel is trained and you have the training records. We now have a new Online Business Associates Training as well as On-site Service for your convenience.

If you are a current TMC HIPAA client, we are here to support you. If you are not, call our toll-free number 1-888-862-6742 and sign up now.