Check Your Inboxes and Spam Folders: Phase 2 of OCR’s HIPAA Audit Program Is Coming

​The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) launched its second phase of audits of covered entities and their business associates, on March 21, 2016, to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act's (HITECH) Privacy, Security, and Breach Notification Rules. The audits are one of the tools OCR uses to address risks to and vulnerabilities of protected health information (PHI). During phase 2, OCR will review policies and procedures that covered entities and their business associates have adopted to implement the specifications of the Privacy, Security, and Breach Notification Rules. They will primarily be desk audits, but some on-site audits will also be conducted. The audit process will begin with an e-mail requesting that contact information be reported to OCR in a timely manner.