The Office for Civil Rights (OCR) has updated the protocol it uses for phase 2 Health Insurance Portability and Accountability Act (HIPAA) audits.

In case you didn't get the memo, the OCR is currently launching its phase 2 HIPAA audits. This means doctors, chiropractors, dentists and other covered entities could be investigated to ensure compliance with HIPAA and its respective rules. But you'll want to take notice of the OCR's newly updated protocol, because it could affect either your healthcare practice or a business associate with whom your practice does business.

You can access and view the new phase 2 audit protocol at, but it basically amends a few key points. For starters, the protocol has been updated to cover business associates following the 2013 Omnibus Rule. It includes the Privacy Rule, Security Rule and Breach Notification Rule, along with their requirements and audit inquiry.

During its audits, the OCR is expected to use this protocol as a source of reference. The newly revised protocol expands areas of compliance to reflect the Omnibus Final Rule.

The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification,” wrote the OCR in its audit protocol guidelines.

The good news is that only 200 covered entities are expected to be audited during phase 2. Even if you don't believe you will be targeted, however, it's still a good idea to take a proactive approach towards your practice's HIPAA compliance. Many covered entities, particularly smaller healthcare providers, neglect the basics of HIPAA. It's not until they are slapped with a fine when they realize the importance of compliance. So, familiarize yourself with the HIPAA Security, Privacy and Breach Notification Rules, implementing them into your practice's normal day-to-day operations.

Devon McGraw, deputy directory of health information privacy at the OCR, announced that covered entities being audited would receive notification letters in May, while business associates would receive them in June or July.

The HIPAA audit protocol contains some 180 areas of review by the OCR. You can submit feedback regarding the new audit protocol via email at, although there is no commenting period for the protocol.

Subscribe to our mailing list

* indicates required