Last week OCR reported that it had faced challenges in identifying and selecting a diverse pool of organizations to participate in the Phase 2 HIPAA Audit Program. In an effort to expand the roster of covered entity candidates, OCR sent up to 10,000 emails to prospective covered entities in a single “e-mail blast” asking for recipients to confirm if the recipient was associated with an organization that was a HIPAA covered entity, and to provide the contact information for appropriate HIPAA privacy and security officials. To make sure that your email system did not reroute or recognize this communication, we recommend looking in your “spam” folder for messages sent from [OSOCRAUDIT@HHS.GOV].

We have learned that some organizations or health systems have received 25 or more inquiries from OCR, where each one was addressed to a separate covered entity component that is part of an organization’s network of facilities or business units. Each email requests a response to supply contact information even though it is the same for each of these organizations that are a part of a network.

Many organizations receiving multiple requests from OCR have a centralized structure in which a single health information privacy or information security official is responsible for compliance governance to each of the components in the organization.

I contacted OCR to ask would if it be possible to supply one response that would satisfy the multiple requests that could be received by a central compliance official. OCR replied with the following guidance:

“Each CE that received a notice should attest to the information being correct that we have on file for them. If the same entity has received multiple notices, then only one response is needed. In many instances, though, the CE address differs, thus we would need a verification for each.”

In many large health systems, each of their components exists as a separate covered entity although they may have structured themselves to be a part of an OHCA or an ACE. If this is the case with how a health system or network is structured, it will be necessary to respond to each request individually on behalf of each covered entity. If in fact an organization (or perhaps some part of its components) are a single covered entity, only one response is required and the other sister campuses or business units can be listed in the reply.

If you would like to learn more about CynergisTek’s mock audit services or additional ways to prepare for the HIPAA audit program, email us at