HHS Has Launched its Next Phase of Random HIPAA Audits
After much anticipation, the Department of Health and Human Resources Office of Civil Rights (OCR) has launched its audit program that will target health care providers, hospitals, employer sponsored group health plans, and business associates of these entities, to evaluate their compliance with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.
As part of this new phase of the HIPAA audit program, which is currently underway, OCR will review the policies and procedures adopted and implemented by covered entities and their business associates.
To select the targets of these audits, OCR will first create audit pools of similarly situated organizations. In order to create the audit pools, OCR will reach out to various entities asking them to fill out a questionnaire. Once the audit pool is established, OCR will randomly select organizations for desk audits and onsite audits and notify them by email with a document request letter.
The first round of audits, which is expected to be completed by the end of December 2016, will consist of desk audits of covered entities and then desk audits of business associates. During this round of audits, OCR will examine specific requirements under the HIPAA Privacy Rule, Security Rule, and/or Breach Notification Rule. For instance, it may examine whether a covered entity has conducted a valid security risk assessment that adequately assesses its physical, technical and administrative safeguards. An audit may also focus on more discrete subject matters, such as examining an organization's patient forms for the disclosure of protected health information.
Next, OCR will begin conducting onsite audits that will examine a broader scope of an entity's HIPAA compliance. OCR warns that depending on the results of a desk audit, the subject of a desk audit could subsequently be the target of a later onsite audit.
Now, more than ever, covered entities and business associates need to ensure that they have comprehensive and compliant HIPAA policies and procedures, a prepared and trained breach detection and response team, and a recent full security risk assessment. More information about this next phase of OCRs compliance efforts, including a sample audit request letter, are published on OCRs website at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.
Kaufman & Canoles remains available, even on short notice, to assist with your HIPAA compliance matters. In the event of an upcoming HIPAA audit, a potential breach of protected health information, or if you have any questions regarding compliance with HIPAA, contact our Health Care Practice Group or Data Privacy and Security team. We can be reached by phone on our hotline at (844) 417.3309 or by email at cyberhotline@kaufcan.com.
Mentioned
The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances. Copyright 2026.
