Phase 2 HIPAA Audits Are Under Way

On Monday, July 11, 2016, letters were delivered to those 167 organizations chosen for ‘Phase 2’ HIPAA audits.  These audits . . . called ‘desk audits’ . . . will look at the selected organizations’ compliance with HIPAA Privacy, Security and Breach Notification Rules. The selected organizations needed to reply by July 22 and to follow a structured process after that. You can read detail about these audits on the OCR website. Be sure to scroll down a bit so you see the Phase 2 Audit Program Protocol.

According to OCR, these Desk Audits will cover specific aspects of compliance:

Requirements Selected for Desk Audit Review

Privacy Rule

Notice of Privacy Practices & Content Requirements   [§164.520(a)(1) & (b)(1)]

Provision of Notice – Electronic Notice   [§164.520(c)(3)]

Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3),  (c)(4), (d)(1), (d)(3)]

Breach Notification Rule

Timeliness of Notification  [§164.404(b)]

Content of Notification  [§164.404(c)(1)]

Security Rule

Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]

Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]


Starting in the Fall, Business Associates will be up for review.

I wonder if any SOS customers or readers of this blog have been selected for audit. If so, we hope you will share your experience.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.