The U.S. Department of Health and Human Services Office of Civil Rights (OCR) recently announced that it has started obtaining and verifying entity contact information to identify covered entities and business associates for potential audit subject pools for the 2016 Phase 2 HIPAA Audit Program. In Phase 2, OCR will review the policies and procedures adopted and employed by covered entities and their business associates, to comply with the HIPAA Privacy, Security and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will occur.

OCR has started sending emails to entities requesting the verification of contact information and providing pre-audit questionnaires. Because the emails may end up incorrectly classified as spam mail, OCR has advised entities to check their junk and spam email folders for emails from OCR at the following email address ( If an organization fails to respond to an information request, OCR will use publicly available information about the entity to create the audit pool.  According to OCR, an entity that does not respond to the address verification or pre-screening questionnaire may still be selected for an audit or be subject to a compliance review.  All desk audits for Phase 2, including those of business associates, are supposed to be completed by the end of December 2016. OCR says that it will post updated audit protocols on its website as it gets closer to conducting the 2016 audits. Entities that have been selected for audit will have 10 business days from the date of the information request to provide the requested documentation.  Once OCR provides draft findings, audit subjects will have 10 business days to review and provide written comments. The auditor will prepare a final report within 30 business days after receiving the audit subject’s response.

To prepare for the Phase 2 audits and information requests, covered entities and business associates should do the following:

  • Covered entities should prepare a list of their business associates so they can readily provide this information to OCR upon request.
  • Add the OCR email address,, to their “safe list” and regularly check their spam and junk mail folders for emails from OCR.
  • Make sure that their HIPAA Privacy, Security and Breach Notification policies are up-to-date and readily accessible due to the short (10 business days) response time.
  • Periodically check the OCR website for the Phase 2 audit protocol.
  • Use the Phase 2 audit protocol as a tool to conduct internal self-audits as part of the organization’s ongoing compliance program.

Should you have any concerns or questions about your organization’s HIPAA compliance, please do not hesitate to contact the authors of this blog post.