HIPAA Audits

Audit 4

Audit via mail    

  • Stricter Audit Protocols
  • Applies to Covered Entities and Business Associates
  • Expect Audit request 2 weeks prior to audit


Mid-March 2016 marks the start of the second phase of the Department of Health and Human Services Office for Civil Rights HIPAA Audit program.  This particular endeavor will comprise more than 200 desk and on-site audits.  The first round of desk audits will focus on covered entities, however, the second round of audits will focus on business associates.

Based on a presentation by the Office of Civil Rights (OCR) Director Jocelyn Samuels; “We’ll be looking at risk analyses and risk management, notices of privacy practices and access and response to requests for access, and content timeliness of notifications.” The process started with the OCR sending out address verification letters and will be followed by a questionnaire.  Once they received these back they will do a sampling of entities based on a number of factors including but not limited to size, nature of the business, type of entity (covered entities vs. business associates) and location. Do keep in mind that these audits have nothing to do with the HITECH Meaningful Use Audits that many Covered Entities have experienced.