Phase 2 of HIPAA Audit Program is underway: Check your email!

On March 21, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) began its next phase of audits of covered entities and their business associates as part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules.

Following this news, we at PrivaPlan have a couple of initial recommendations for you: 

1) Keep a close eye on your spam and junk email folders. 

2) Spend some time reviewing your HIPAA security and privacy policies and procedures and training programs to ensure compliance with HIPAA.

Communications from OCR will be sent via email and may be incorrectly classified as spam.  The first email in the 2016 audit process is to verify an entity’s address and contact information. If your spam filtering and virus protection are automatically enabled, you are expected to check your junk or spam email folder for emails from OCR. And you are expected to respond in a timely manner. 

A pre-audit questionnaire will then be sent to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools. These audits will primarily be desk audits, although some on-site audits will be conducted.

According to OCR, the 2016 Phase 2 HIPAA Audit Program is developing on pace and updated audit protocols will be posted on its website closer to conducting the 2016 audits.  Furthermore, the audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.

To learn more about OCR’s Phase 2 Audit program, visit

To gain a better understanding of your part in this process or for assistance with other HIPAA related issues, contact the HIPAA experts at PrivaPlan. We’re here to help.

You can reach us at or call 877-218-7707.

Related Posts

What’s On Your Website?

The partnership combines PrivaPlan’s industry-leading guidance with Cyndelos’ AI technology to pinpoint website vulnerability and uphold website compliance.

Learn More +

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.