The Office for Civil Rights (OCR) is preparing for the second phase of Health Insurance Portability and Accountability Act (HIPAA) audits. According to, the first phrase included more than 100 “pilot” audits, focusing strictly on covered entities. The second phase, however, will be cover both covered entities, as well as third-party business associates with whom they work. Whether you are a covered entity or business entity, you should take the time now to prepare yourself for the next round of HIPAA audits.

What is a HIPAA Audit?

A HIPAA audit is exactly what it sounds like: the checking of a covered entity and/or business associate as mandated by the Department of Health and Human Services (HHS) under the HITECH ACT to ensure they are complying with the HIPAA Privacy, Security and Breach Notification Rule. The OCR – a division under the HHS – is responsible for conducting these annual audits, and we're now approaching the time for its second round of audits.

Security Risk Analysis

During the OCR's first round of HIPAA audits, investigators found that many covered entities had not conducted proper security risk analysis of their workplace. As a result, their data was susceptible to unauthorized use due to an increased risk of breach. It's safe to assume that the second round of HIPAA audits will also place an emphasis on security risk analysis, so make sure your healthcare practice is fully prepared.

Tips to Prepare for Phase II HIPAA Audits

  • Familiarize yourself with the HIPAA Security, Privacy and Breach Notification Rules.
  • Create Business Associates Agreements (BAA) with any third-party entity that has access to Protected Health Information (PHI).
  • Create (and update when needed) privacy policies describing the manner in which patients' information is used.
  • Staff and personnel should be fully trained on the nuances of HIPAA and its respective Rules.

When Will Phase II HIPAA Audits Begin?

There's still no official word yet on when the OCR will conduct the second phase of its HIPAA audits. The OCR usually remains quiet regarding audits, and for good reason: it everyone knew when an audit was going to happen, they would make last-minute changes to correct their violations. Whether the second phase of HIPAA audits it weeks away or months away, covered entities and business associates should constantly work to remain compliant with the Health Insurance Portability and Accountability Act.

Subscribe to our mailing list

* indicates required