Doctor concerned with health care law

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Health Law Daily, March 22, 2016

OCR aims HIPAA audits at CEs and BAs

By Bryant Storm, J.D.

The second phase of audits under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (P.L. 104-191) Audit Program will focus on the business associates (BAs) of HIPPA covered entities (CEs) as well as the CEs themselves. The HHS Office for Civil Rights (OCR) will conduct the audits to uncover vulnerabilities to protected health information and evaluate CEs’ and BAs’ policies and procedures regarding compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.

Scope. The HIPAA audit process begins with entity verification, in which the OCR will request, via email, that CEs and BAs respond to the OCR with their contact information in a timely manner. The contact information request is followed by a pre-audit questionnaire regarding the type, size, and operations of an organization. The OCR uses the results of the pre-audit questionnaire to create potential audit pools. Every CE and BA is a potential candidate for an audit. The potential auditees include individual and organizational providers of health services, health plans of all sizes and functions, health care clearinghouses, and the BAs of those organizations. While the first round of program audits narrowly focused on CEs, the OCR planned the second phase of audits to widen the focus of the audit program to more significantly include BAs (see OCR Phase 2 audits to focus on specific HIPAA rules, July 17, 2015).

Audits. The OCR plans to begin with desk audits of CEs and BAs. The OCR will notify selected entities of the subject of an audit in a document request letter. Entities chosen for the audit will submit documents online through a new secure audit portal on OCR’s website. If selected, an entity will have 10 business days to respond to the OCRs information request. The OCR will then provide the entity with draft findings, which the entity will have 10 business days to respond to. Although the OCR believes there will be less in-person audits in the second round, as compared to the first phase of the audit program, entities should remain prepared for site visits because the OCR will perform an on-site visit if it deems one appropriate. The audits aid the OCR in determining what kind of assistance should be developed or what kind of corrective action is necessary to keep CEs and BAs in compliance.

MainStory: TopStory AgencyNews ComplianceNews CMSNews AuditNews EHRNews HITNews HIPAANews ProgramIntegrityNews RiskNews

Back to Top

Health Law Daily

Introducing Wolters Kluwer Health Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.