HIPAA 2016 Audits Phase 2: Covered Entities and Business Associates Take Notice

Mar 23, 2016
  • FisherBroyles News
  • Health Care
  • White Collar Crime

As part of its continued effort to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) announced yesterday that it has begun its next phase of audits of covered entities and their business associates. In the 2016 Phase 2 HIPAA Audit Program, OCR will review covered entities and business associates’ implemented policies and procedures through desk audits however, some  on-site audits will be conducted.

This second phase of audits follows OCR’s 2011-2012 pilot program of 115 entities.  From the data collected and results achieved, OCR developed enhanced protocols to be used in the 2016 Phase 2 HIPAA Audit Program, including a new strategy to test the efficacy of desk audits in evaluating compliance with privacy, security and breach notification rules.  OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers, health plans, health care clearinghouses and business associates.  OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

The first desk audits will be for covered entities, followed by a second round of desk audits of business associates.  All desk audits in this phase will be completed by the end of December 2016.  A third set of audits will be onsite and will cover a broader scope of requirements from the HIPAA Rules than desk audits.  It is anticipated that results from desk audits may trigger a subsequent onsite audit and potential investigations if deficiencies are uncovered.

The audits are underway to covered entities and begin with an email notification requesting contact information.  Click here to view a sample email.  The emails will originate from [email protected] and if your entity’s spam filtering and virus protection are automatically enabled, OCR expects you to check your junk or spam folders for their email.  Failure to respond to the notification email may result in OCR using publicly available information to create its audit pool thus a desk or onsite audit notification may not reach the appropriate company representative in a timely fashion.  From the responses to the initial email, OCR will create a pool of targets for desk and onsite audits.

If your entity is chosen for a desk audit, requested information must be submitted electronically within 10 business days of the request.  OCR will provide draft findings and auditees will have 10 days to review and return written comments.  Similarly, entities chosen for onsite audits will also receive an email notification.  OCR will schedule an entrance conference to provide more information about the process and onsite audits will be conducted over a 3-5 day period, depending upon the size of the entity.  Entities will have 10 business days to review draft findings and provide written comments to the auditor.  OCR will complete and provide a final audit report within 30 business days.

As we have advised in our recent client alerts regarding HIPAA enforcement trends, we believe the 2016 Phase 2 HIPAA Audit Program will have a keen focus on business associates and covered entities’ Business Associate Agreements (“BAAs”).  Business associates have been covered by HIPAA only since 2013, therefore compliance with the HIPAA Privacy, Security and Breach Notification Rules may not be as robust or as fully vetted as required by OCR.  Business associates that conduct third-party billing, data analysis, storage and management and the covered entities who have BAAs with these vendors are particularly vulnerable to being a target of OCR audits.   Covered entities and business associates must exercise due diligence in reviewing their HIPAA compliance programs and conducting system wide audits of their PHI safeguards to identify and update areas that may have vulnerability that could put personal health information at risk.

For further information on the subject matter of this alert, please contact the following FisherBroyles attorneys:
Brian E. Dickerson
[email protected]
Nicole Hughes Waid
[email protected]
Anthony J. Calamunci
[email protected]

About FisherBroyles, LLP

Founded in 2002, FisherBroyles, LLP is the first and world’s largest distributed law firm partnership. The Next Generation Law Firm® has grown to hundreds of partners practicing in 23 markets globally. The FisherBroyles’ efficient and cost-effective Law Firm 2.0® model leverages talent and technology instead of unnecessary overhead that does not add value to our clients, all without sacrificing BigLaw quality. Visit our website at to learn more about our firm’s unique approach and how we can best meet your legal needs.

These materials have been prepared for informational purposes only, are not legal advice, and under rules applicable to the professional conduct of attorneys in various jurisdictions may be considered advertising materials. This information is not intended to create an attorney-client or similar relationship. Whether you need legal services and which lawyer you select are important decisions that should not be based on these materials alone.

© 2021 FisherBroyles LLP