Phase 2 OCR HIPAA Audits: What’s to Come in 2015?

Here is a high-level breakdown for the Phase 2 HIPAA Audits being conducted by OCR in 2015:

Back in 2011, the Office of Civil Rights (OCR) was brought on-board to support a pilot HIPAA audit program with the goal of assessing controls and processes implemented by covered entities (focus on Personal Healthcare Information – PHI). OCR had a two phased approach for HIPAA audits, and began phase 2 back in the fall of 2014. For phase 1, OCR developed audit protocol to measure efforts of some 115 Covered Entities. With phase 2, the audit protocol was updated to encompass both covered entities and business associates.

For phase 2, OCR is revising their audit protocol to encompass some hot topics: timely & thorough security risk assessments, effective & on-going risk mitigation plans, breach notification procedures, encryption, training, and policies/procedures. This phase also brought Business Associates into the scope (in addition to Covered Entities) of a potential audit. This update has increased the reach of OCR audits and I foresee it continually expanding.

Below I have included some useful definitions and points to better clarify the phase 2 audits.


A “business associate” is an individual or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity.

Business associate functions and activities

claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.

Business associate services

legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.

Example of a Business Associates

A third party administrator that assists a health plan with claims processing.

Keys to Success

Business Associates and Covered Entities must enter into a Business Associate Agreement (BAA – somewhat similar to a SAS70, catered to HIPAA) to ensure the safeguard of protected healthcare information (PHI). Existing BAAs should be revised according any new HIPAA OCR audit protocols. [There are specific agreement requirements to follow]

Phase 2 Audit Targets

Risk analysis, risk management, content and timelines of breach notification, notice of privacy practices, individual access, privacy standards reasonable safeguard requirement, training on policies and procedures, device and media control, transmission security, encryption requirements. For Business Associates, specific targets include risk analysis, risk management, breach reporting to covered entities.

Covered Entities had to come within full compliance of the HIPAA Omnibus Rule for some time now, while Business Associates followed suite on Sept. 23, 2014. In 2014 and into 2015 we now see the enforcement (audit/findings). With most new enforcements being pushed out, those liable enter into a ‘transition phase’ prior to audits. The actual phase 2 audits to assess compliance for Covered Entities started in the fall of 2014 and audits of Business Associates is anticipated to start in 2015. So in 2015, it’s important to note that both Covered Entities and Business Associates (LR Customers/Prospects) are now in-scope for these revised HIPAA OCR audits and enforcement.

There has been some delay in finalizing the audit protocols, but it is anticipated this will fully roll out sometime in 2015. Again, OCR’s focus will continue to be on more thorough audits of Covered Entities, but will really hit hard on Business Associates this year. OCR has issued a number of surveys over 2014 and into the start of 2015 with a goal to gather information and build up their audit protocol—these were indicators of pending, revitalized audits to come.

Surveys have indicated that only about a third of medical practices and staff were aware of these ‘revised’ audits. So this in itself indicates many Covered Entities and Business Associates still may not be fully aware of pending audits (or the enhancements to existing audit protocols) that could result in financial settlement or fines for noncompliance.

Be prepared, do your homework, become compliant.

Until next time,

Bob Swanson