Next Phase of HIPAA Audits Has Begun, Official Says

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

March 21 — The government’s Phase 2 HIPAA audits began March 21, a government official said at a conference.

Health and Human Services Office for Civil Rights Director Jocelyn Samuels said Phase 2 will consist of 200 desk and on-site audits of both covered entities and business associates.

The compliance audits are intended to determine if health-care organizations and their contractors are complying with Health Insurance Portability and Accountability Act privacy and security rules.

The first phase of the HIPAA audits was conducted as a pilot program in 2011 and 2012, focused solely on covered entities, while Phase 2 will include both covered entities and business associates.

The desk audits are expected to be completed by December, while the more comprehensive on-site audits will begin later in the year, Samuels said during the National HIPAA Summit.

Kirk Nahra, an attorney with Wiley Rein in Washington, told Bloomberg BNA March 21 that Phase 2's impact will depend on how difficult the audit protocol is.

The audit protocols contain the specific issues auditors will be examining and provide detail on what documents organizations have to submit.

Nahra said the first protocol in the Phase 1 audits was very burdensome.

The Phase 2 audits will affect a small percentage of organizations, Nahra said.

“The problem with audits are their overall burden, the risks resulting from the audits and the potential unfairness of picking people largely at random,” Nahra said.

Samuels said the Phase 2 audits aren't meant to be punitive, but are designed to allow the OCR to get out in front of potential problems.

The first round of desk audits will involve covered entities, while the second round will center on business associates, and it's possible that the OCR might follow up a desk audit with an on-site visit, Samuels said.

Audit Scope

The Phase 2 audits will cover a wide range of health plans, providers and business associates, Samuels said.

The wide range will enable the OCR to assess HIPAA compliance across the entire health-care industry, Samuel said.

The desk audits will review specific requirements of the HIPAA privacy, security, or breach notification rules, while the on-site audits will have a broader focus on the HIPAA rules, Samuels said.

Audit subjects will receive an e-mail regarding their audit selection and will be able to submit any requested documents through a portal on the OCR's website.

Protocols for the Phase 2 audits will be posted on the OCR's website soon, Samuels said.

OCR Enforcement

In addition to announcing the start of the Phase 2 audits, Samuels spoke about OCR's enforcement efforts over the past year.

She said the OCR has reached nine major settlement agreements regarding HIPAA breaches since last March, resulting in a total of $11 million in fines. She called it “a very eventful year.”

For example, the OCR reached a $3.9 million settlement with the Feinstein Institute for Medical Research on March 17, which followed by a day a $1.9 million agreement with North Memorial Health Care of Minnesota .

Highlighting some of the lessons learned as a result of the OCR's enforcement efforts, Samuels cited the need for companies to:

  • safeguard all paper records, even if most records have migrated to an electronic format;
  • maintain business associate agreements with all business associates;
  • perform a comprehensive risk analysis of all sources of protected health information, not just electronic health records; and
  • translate the results of a risk analysis into a robust risk management plan.

    Samuels said the OCR is serious about holding organizations accountable for their HIPAA compliance.

    Samuels also spoke briefly about the Obama administration's Precision Medicine Initiative, which she said is designed to enable personalized medical treatment.

    The program's success depends on patient willingness to share vast amounts of personal data, and the OCR is committed to ensuring that there are robust privacy and security protections in place, Samuels said.

    To contact the reporter on this story: James Swann in Washington at

    To contact the editor responsible for this story: Janey Cohen at

    For More Information

    Request Health Care on Bloomberg Law