HIPAA Phase 2 Audits

Posted by BAS - 21 April, 2016

header-picture

The U.S. Department of Health and Human Services has launched Phase 2 HIPAA audits of covered entities and their business associates.  The audits are intended to monitor how organizations are following the HIPAA Privacy, Security and Breach Notification Rules.  These audits are intended to supplement HHS’ complaint investigations and compliance reviews. 

If selected for Phase 2 audit, HHS will review the entity’s policies and procedures.  According to HHS, the audit process begins with verification of address and contact information.  An email is sent to covered entities and business associates requesting that contact information be provided in a timely manner. HHS then provides a pre-audit questionnaire to collect information about the size, type and operation of the business. 

Audits will be conducted in three rounds:

  1. Remote desk audits on covered entities with a narrow focus on compliance with the rules;
  2. Remote desk audits on business associates;
  3. Onsite audits that will last 3-5 days.

HHS has provided information about audit protocols so companies can conduct their own internal self-audits as part of their HIPAA compliance activities.

All health plans and business associates should look out for communications from HHS and be prepared to answer questions within the scope of a HIPAA audit.


Recent Posts

Question of the Week - Mid-Year Enrollment for Health Coverage

read more

OCR Reports to Congress on HIPAA Compliance and Breaches of Unsecured Protected Health Information

read more

Find your QELs in MyEnroll360

read more