The short turnaround time to answer a HIPAA audit request puts pressure on you to be ready at any time.

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the U.S. Department of Health & Human Services (HHS) to perform periodic audits of covered entities and business associates to make sure they are complying with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules.

Here’s a closer look at Phase 1 and Phase 2 audits and the background information you’ll need to prepare for a possible audit.


The HHS Office for Civil Rights (OCR) started Phase 1 audits in 2011 and launched Phase 2 on March 21, 2016. Phase 2 focuses on noncompliance areas identified in Phase 1 including security risk analysis/management, breach notifications and notices of privacy practices.

Audit Targets

Covered Entities (CE): Employer-sponsored group health plans, health insurance companies, doctors, pharmacies and health care clearinghouses (they forward claims from health care providers to insurance payers, such as billing services).

Business Associates (BA): A person or organization that performs services for a CE involving access to protected health information (PHI). BA services include claims processing or administration, data analysis, billing and benefit management. Service providers can include third-party administrators, accountants, attorneys, consultants, cloud data storage companies, and pharmacy benefits managers.

[Related: Would you Survive a HIPAA Audit?]

New for Phase 2

The process starts out similar to Phase 1, where OCR chooses a broad range of CEs to audit from a pool of CEs that filled out preaudit surveys. But this time, audited CEs will submit a list of their BAs. OCR will choose BAs to audit from the pool identified by the CEs.

Short turnaround time for auditees

Be on the lookout for OCR’s audit notice and policies/procedures request, which will come by e-mail, according to Data Privacy Monitor. OCR warns the email may be incorrectly classified as spam. CEs and BAs must be ready to respond within two weeks after OCR sends a pending audit notification and data request. Data Privacy Monitor stresses, “OCR will accept only documentation submitted on time; therefore, it is important to have documentation collected and available in anticipation of a request.” OCR could start a full compliance review for failing to respond on time, which could lead to penalties. Thomson Reuters Regulatory Intelligence reports OCR is authorized to impose fines up to $50,000 per violation for failure to comply with HIPAA, even for unintentional breaches, up to $1.5 million per year.

[Related: HIPAA Privacy Online Course]

How to Prepare

  • Read your policies and procedures on the administrative, technical and physical safeguards you adopted for PHI (paper, verbal and electronic). The documents should be final versions, not drafts, and current with the 2013 Omnibus Final Rule. Employee actions should match your policies and procedures including the breach notification procedure and notice of privacy practices.
  • Conduct a self-audit. The current HHS audit protocol may be used. The protocol has been updated to reflect the Omnibus Final Rule.
  • Business associates. Compile a list of your BAs with contact information. BA agreements, ensuring privacy and security of PHI, should be in place and current with the 2013 Omnibus Final Rule.
  • Employees with access to PHI need HIPAA compliance training. Keep training records.
  • Security risk assessment. Document that any identified vulnerabilities have been evaluated and addressed, potentially preventing a data breach.
  • Electronic devices. Laptops, phones and flash drives with PHI should be encrypted.
  • Building security. Keep PHI safe.

The second phase of audits shows us that OCR is trying to be more proactive with enforcement rather than reacting to complaints. OCR is planning for a permanent audit program, as required by HITECH, so any CE or BA is a potential audit target. Keeping compliance documents and records updated and accurate will help you cooperate with ease as an auditee.

Jenny Lucey, CEBS
Information/Research Specialist at the International Foundation

Jenny Gartman, CEBS

Information/Research Specialist at the International Foundation

Favorite Foundation member service: Personalized Research Service

Benefits topics that interest her most: mental health, work/life benefits, retirement readiness of different generations

Personal Insight: Jenny gets things done. She started working on her CEBS just over two years ago. Welcoming her daughter into the world during this time frame did not slow her down—she recently completed her last exam and earned her designation. When she’s not working or studying she enjoys family playtime, knitting and exercising.


Recommended Posts

Educating DC Plan Participants for the Long Hike to Retirement

Kathy Bergstrom, CEBS

Many years ago, I visited Grand Canyon National Park with my mom and aunt. It was unseasonably hot, but I wanted to walk down into the canyon on the Bright Angel Trail. My companions were not up for the hike, so I […]

Building and Designing for DEI: Creating Employee Benefits That Work for All

Guest Contributor

Benefits Magazine Extras articles provide you with bonus content on a mix of benefits topics as well as deep dives and analyses on the latest benefit trends and compliance issues. Foundation members can visit to view the full bimonthly print edition of the magazine.  Global […]