The US Department of Health and Human Services, Office for Civil Rights (OCR) announced Monday that it has started Phase 2 of the HIPAA Audit Program that will lead to hundreds of reviews of covered entities and business associates.

Over the next seven months OCR will be conducting limited scope desk audits of about 200 covered entities (CE) and business associates (BA). The agency said that it will also perform 24 on-site, comprehensive audits. According to OCR, most of the CE audits will be “desk audits,” requiring organizations to submit documentation demonstrating that they have policies and processes in place that meet HIPAA requirements. OCR will also conduct some comprehensive, on-site audits in this round of audits.

OCR’s rollout of Phase 2 of the OCR audit program is starting just as expected. OCR has sent communications via postal mail and email to identify and verify contact information of the designated privacy and security officials of HIPAA covered entities. Covered entities that have received these communications are asked to provide the information sought through an Internet portal maintained by OCR within two weeks of receipt of the request. This activity tracks with how the agency had said that it would initiate the audit program. 

Sometime in April, OCR is expected to follow with a second communication to these covered entities that they are seeking information about the types of services the organization provides, the size and complexity of the covered entity and their use of health IT. These surveys will be used by OCR to develop a diverse group of organizations for selection and participation in audits to be conducted this year.    

What OCR Will be Looking For

While OCR’s audit protocol has not been finalized, the agency has identified areas where it intends to focus its attention:

How to Prepare

Healthcare provider practices, health plan administrators and business associates should prepare now so they’re ready if they are selected for a desk audit:

OCR has posted a notice on its website regarding Phase 2 of the audits. It includes program background information, FAQs and a sample of the address verification communication. Click here to view it.

If you have any questions about the audit program or want to know more about our mock audit services contact us at