Desk Audits Begin for OCR Phase Two HIPAA Audits

The Office for Civil Rights (OCR) has officially started phase two of its HIPAA audit program, with notification letters being sent to covered entities about their inclusion in the desk audit portion. The letters were sent out on July 11, with 167 covered entities selected. OCR’s goal with the desk audits is to review how healthcare organizations are adhering to the HIPAA Privacy, Security, and Breach Notification Rules.

Covered entities will be reviewed on their security management process in terms of both risk analysis and risk management. Also to be analyzed are how organizations handle the timeliness of notification and the content of the notification.

Desk audits of business associates will take place this fall. Onsite audits will begin in 2017, and may include both covered entities that were subject to the desk audits, as well as newly selected covered entities. Notification of onsite audits is expected in late fall.

On its website (, OCR clarifies that “through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.”

Also, OCR recently provided new guidance in three documents; addressing its approach to the phase two HIPAA desk audits (the documents are available on OCR’s website):

  1. Selected Protocol Elements with associated document submission requests and related Q&As (“Protocol”)
  2. Slides from audited entity webinar July 13, 2016 (“Presentation”)
  3. Comprehensive question and answer listing (“Q&A”)

The “Protocol” outlines the significance for covered entities and business associates of reviewing OCR guidance as it is issued. The “Presentation” notes state that onsite audits will focus on a comprehensive set of HIPAA compliance controls. The “Q&A” provides answers to questions directly related to the desk audit process itself and presents valuable information to business associates.

To learn more about the phase 2 desk audit program, please visit OCR’s website at

Wondering if there is a cause for concern for your organization? Not if you are already taking the steps needed to be HIPAA compliant.
Engaging in the HIPAA regulations is not different than just generally ensuring that your healthcare organization’s privacy and security measures are in place and patient health data is protected. This is alwaysan important thing to do.

We at Primeau Consulting Group can assist your organization with the desk audits, and reduce risks associated with HIPAA investigations and security breaches. Our experts can help by providing onsite and remote privacy and security risk analyses. In addition our Privacy & Security Solutions Toolkit is designed as a simple and affordable monthly subscription service that provides:

  • Access to a Virtual Privacy and/or Security Officer
  • A complete Privacy and Security Risk Analysis
  • Implementation of organization-wide Privacy & Security Management Program
  • Tracking and evaluation of wrongful disclosures and potential Privacy-Security violations
  • Awareness, education and training of staff on PHI protection

Contact us to hear more about our Privacy and Security Risk Analysis and learn more about how our Privacy & Security Solutions Toolkit can help you meet the PHI challenge.


Partner Advertisement

Latest Posts

Get The Latest Updates

Subscribe To Our Weekly Newsletter

No spam, notifications only about new products, updates.
Read more from our blog

Related Posts