Yesterday, the federal Office for Civil Rights (OCR) announced Phase 2 of its HIPAA Audit Program (Program). In its announcement, the OCR reports that the Program is underway and provides some helpful FAQs for covered entities and business associates about the Program. Preparation is critical and there are some key points covered entities and business associates should focus on.

Every covered entity and business associate is eligible for an audit. So, don’t think that because you are a small health care provider or sponsor a group health plan for employees you will be out of the Program’s reach. Auditee selection will be based on a number of criteria including include size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. The OCR appears to be looking to examine a healthy cross-section of covered entities and business associates. On the bright side, OCR stated it will not commence an audit under the Program where there is an open complaint investigation or a current compliance review.

Potential auditees will be screened. OCR may send a questionnaire to covered entities asking them to identify their business associates and provide their contact information. OCR warns that if it does not receive responses to these requests it will use publically available information to create its audit pool, and nonresponsive entities still may be selected for an audit or subject to a compliance review. In fact, OCR informs covered entities and business associates that it expects them to check their junk or spam email folders for OCR communications about the Program.

…we expect you to check your junk or spam email folder for emails from OCR

The Program will include Desk Audits, followed by On-site Audits. The first stage of the Program will involve desk audits for covered entities, followed by desk audits for business associates, all of which will be completed by year end. After that, audits will be onsite and will examine a broader scope of requirements from the HIPAA Rules than desk audits. Some desk auditees may be subject to a subsequent onsite audit. The audits will examine compliance with specific requirements of the HIPAA Privacy, Security, or Breach Notification Rules. So, for example, OCR might want to look at your documented risk assessment, or your breach notification response plan. Auditees will be notified of the subject(s) of their audit in a document request letter, but OCR confirmed the audits will not cover compliance with state privacy laws.

Consider the audit process and timeline. Covered entities and business associates selected for a desk audit should expect to receive an email informing them of the selection and requesting documents and other data. Auditees will be able to submit documents on-line via a secure audit portal on OCR’s website. OCR expects that the documents and data will be provided within 10 business days of the request.

After submitting the documents and data, auditees will receive draft findings from OCR. Auditees will then have 10 business days to review and return written comments to the auditor. Auditees should expect to receive a final audit report within 30 business days.

Onsite audits will follow a similar process. The auditors will schedule an entrance conference to discuss the audit, which can be expected to take place over three to five days onsite, depending on the size of the entity. These will be more comprehensive and cover a wider range of requirements from the HIPAA Rules. Like the desk audit, entities will have 10 business days to review the draft findings and provide written comments, and they will be provided a final audit report.

Don’t want to respond? Entities that do not respond to OCR communications still may be selected for audit or be subject to a compliance review. As noted, the agency will use public means to find you.

We’ve been audited, now what? OCR states that the Program is primarily a “compliance improvement” activity, through which it can better understand compliance efforts, and determine what types of technical assistance should be developed and what types of corrective action would be most helpful. Of course, if OCR finds a serious compliance issue, it may initiate further investigation.

There may be publicity surrounding audits. OCR states that it will not post a list of audited entities or the findings of an individual audit identifying the audited entity. However, OCR reports that it will comply with Freedom of Information Act (FOIA) requests which could make the results of your audit public.

For now, covered entities and business associates should be on the look-out for communications from OCR and be prepared to respond. It goes without saying that they also should use this as an opportunity to assess their compliance and take steps now to address any gaps.

Tags: audit, Health Information for Economic and Clinical Health Act, Health Insurance Portability and Accountability Act, HITECH, OCR, Office for Civil Rights, Phase 2
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Read more about Joseph J. Lazzarotti
Show more Show less
Photo of Michael R. Bertoncini Michael R. Bertoncini

Michael R. Bertoncini is a principal in the Boston, Massachusetts, office of Jackson Lewis. He is a member of the Healthcare industry group and a member of the Higher Education group.

With a background as a former Deputy General Counsel, Michael understands first-hand…

Michael R. Bertoncini is a principal in the Boston, Massachusetts, office of Jackson Lewis. He is a member of the Healthcare industry group and a member of the Higher Education group.

With a background as a former Deputy General Counsel, Michael understands first-hand the competing demands and unique challenges faced by in-house counsel. Before joining Jackson Lewis, he was responsible for all labor and employment law matters for the largest fully integrated community care hospital system in New England. Michael provides timely, practical advice that helps clients achieve their strategic goals while ensuring compliance with legal obligations.

With deep experience in a broad range of industries, Michael has a keen interest in the healthcare, higher education, museum, and arts & music sectors. He is dedicated to supporting clients in these areas, leveraging his extensive experience to address the specific challenges faced by institutions and organizations in these fields.

Michael regularly partners with clients to establish positive employee relations. In labor relations matters, he negotiates collective bargaining agreements on behalf of organized clients, represents clients in labor arbitrations and National Labor Relations Board proceedings, and counsels clients with respect to rights and obligations under collective bargaining agreements and applicable labor and employment laws. He also has extensive experience in advising organizations responding to corporate campaigns and negotiating neutrality agreements.

Michael’s privacy and data security practice focuses on advising clients on complying with HIPAA and other state and federal privacy and data security laws. He reviews and develops policies and procedures, written information security plans and integrated compliance programs to ensure his clients meet their obligations under privacy and data security laws. Michael represents clients in investigations of alleged data breaches and advises them on reporting obligations.. He also conducts workplace training programs on HIPAA compliance and related privacy and data security topics.

Read more about Michael R. Bertoncini
Show more Show less
Related Posts
The Hidden Legal Minefield: Compliance Concerns with AI Smart Glasses, Part 3 –Privacy, Surveillance, and Labor Law Violations
December 29, 2025
When Big Doesn’t Mean Bulletproof: The Importance of Third-Party Service Provider Due Diligence
October 22, 2025
California Assembly Bill 45: New Privacy Around Healthcare Facilities
September 29, 2025