Request a Demo


Phase 2 of the HIPAA Compliance Audits Are Here!

Complying with HIPAA has been a priority for healthcare providers since the act became law. For the past three years, however, there has been a delay in the roll-out of phase two of these HIPAA compliance audits. That didn’t stop the buzz about what was to come. According to well-founded rumors, they were projected to be a much improved version of their predecessor.  


And now they are here!


According to, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates:


“In its 2016 Phase 2 HIPAA Audit Program, OCR will  review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.”


But what took so long?


HIPAA is enforced by the Office of Civil Rights, a federal agency. They had hoped to open the curtain on the new edition of audits last fall, but that didn’t happen. Speculation as to the reason for the delay has been rampant. According to OCR officials, the culprit was a problem with some of the technology that was being developed to gather compliance information from healthcare providers and other covered entities.


Compliance Road Blocks

Another potential roadblock stemmed from a leadership change at OCR. In July of 2014, former director Leon Rodriguez was named the director of U.S. Citizenship and Immigration Services, which is a unit of the Department of Homeland Security. His replacement at OCR was Jocelyn Samuels, formerly acting assistant attorney general for the Civil Rights Division at the U.S. Department of Justice. The fact that it takes a new leader several weeks or months to settle into her position, combined with fewer resources at OCR, have most likely combined to make the roll-out of phase 2 even slower than expected.


Nevertheless, it seemed clear that phase 2 was inevitable. In fact, OCR has posted a job description for a “compliance specialist-auditing” position in its Washington office. OCR officials also let it be known that the agency was developing audit protocols for covered entities, as well as business associates. The latter would be directly responsible to comply with HIPAA under the HIPAA Omnibus Rule and would be subject to OCR enforcement actions. Financial penalties for noncompliance could be as high as $1.5 million.


The hiatus is over, and healthcare providers – and now business associates – must be ready to face potential HIPAA audits. Don’t wait until you get that dreaded thick envelope from OCR signaling the beginning of a long, drawn-out and possibly financially painful investigation. Take the time now to fully review your procedures and protocols and begin to make proactive changes in a more relaxed and methodical way. Here are some ideas:


  • Conduct regular risk assessments to check for vulnerabilities.
  • Establish policies for secure email and mobile communications among your staff and with outside sources.
  • Train all employees who utilize or disclose patient information. Make sure you also require staff to take refresher courses on a regular basis.
  • Make sure you are entering into valid agreements with all business associates.
  • Implement your privacy policies. If employees violate them, they should be disciplined.


In the end, you may never be chosen for a HIPAA compliance audit. Most providers aren’t. Nevertheless, you can have the peace of mind that only comes when you know you are prepared just in case.


To learn more about how your care team can leverage HipaaBridge for secure, HIPAA-compliant messaging, visit