OCR Confirms HIPAA Re-Screening Surveys Dispatched

by | May 25, 2015

The Department of Health and Human Services’ Office for Civil Rights has confirmed – to Fierce Health IT – that its preliminary HIPAA surveys have now been issued, marking the start of the 2015 HIPAA compliance audits.

In a recent article in the National Law Review, McDermott Will & Emery revealed that phase 2 of the HIPAA compliance audits was no longer being delayed, after the firm had been advised by some of its clients that an OCR HIPAA audit screening survey had been received.

The aim of the screening surveys is to ensure that all contact and organization information is up to date. The OCR auditors can then pick the organizations most appropriate for audit. From the responses, it is predicted that the OCR select 350 covered entities and 50 Business Associates for an audit on the Security Rule, Privacy Rule, Breach Notification Rule or a combination audit comprising 2 or 3 audit modules.

The OCR is expected to audit healthcare suppliers, health plans and healthcare clearinghouses first, with Business Associate HIPAA audits to come.

It is not clear at this early stage whether the surveys have been issued to all 1,200 bodies that formed the initial sample or if Business Associates have been contacted yet. McDermott Will & Emery believes that the OCR is working with a pool of 550 and 800 CEs. If this is the case, any covered body receiving a survey may have a 50% chance or higher of being audited.

The OCR statement, broadcast via e-mail, confirmed that the pre-audit surveys had been sent, but no information was given as to when the second round of compliance audits will be taking place. According to the original schedule for the audits that were supposed to begin in the fall of 2014, the surveys were scheduled to be sent around this time of year indicating that the audits will only have been delayed a year and will be carried out this fall.

The statement revealed “Additional information about the audit program is forthcoming,” with covered entities instructed to “Check our website for updates.”

Once the notice is published on the OCR website, the audits are expected to start approximately 90 days later, giving covered entities three more months to make sure they are fully HIPAA-compliant before it is put to the test.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy