OCR Reveals Detail Regarding Phase 2 of HIPAA Audits

by | Apr 16, 2014

The Office for Civil Rights (OCR) has revealed that it is to restart HIPAA compliance audit program this fall. Phase 2 will include 350 compliance audits which will be carried out on healthcare providers, healthcare clearing houses and health plans, along with 50 more audits which, in accordance with the HIPAA Omnibus Rule, will be carried out on business associates.

The OCR completed a round of pilot audits in 2011/2012 which looked at a wide variety of areas of compliance in order to allow it to figure out the level of compliance across different sectors of the healthcare sector. The pilot round involved 115 covered bodies, which were subjected to a full compliance audit including a site review. The audits uncovered numerous areas in which healthcare organizations were breaching HIPAA regulations.

The majority of organizations that were audited were discovered to have violated HIPAA with only 11% of covered entities found to be fully adherent. 80% of healthcare providers found to have breached HIPAA did so by failing to conduct a thorough risk analysis, while 39% of all audited entities registered breaches of the Privacy Rule. 10% violated the Breach Notification Rule and many were discovered to have violated all three; with smaller healthcare providers standing out for a broad range of non-compliance issues.

The results mean the OCR can tailor the next round of audits and target key areas of HIPAA compliance which lead to the most violations, while the audit plan also needed to be refreshed due to the issuing of the Omnibus Final Rule last year.

The second phase of HIPAA compliance audits is to include more covered entities and will have a much stricter focus, covering the Privacy, Security and Breach Notification Rules.

The audits are due to take place between October 2014 and June 2015. The coming phase of audits will look at privacy and security, in particular focusing on the storage and transmission of Electronic Health Records and how breaches are managed.

The desk audits will review compliance with Privacy and Security Rule provisions. Adherence to the Privacy Rule will also be examined, in particular how organizations are reacting to requests by patients for access to their health records and notices of privacy practices. Policies and procedures that deal with the Breach Notification Rule will also be checked.

The on-site audits will be more detailed and the OCR is expected to request to see HIPAA in action, and will be checking that policies have been tranformed into compliant work procedures. They will have a strong emphasis on the Security Rule, which the pilot found to be a major area of non-compliance. Risk analyses will be thoroughly reviewed as will risk management.

The OCR will be releasing details of the protocol for its next phase audits on its website in due course. This will enable all covered organizationsto conduct an internal pre-assessment for compliance, and address any issues discovered. Business Associate audits are not expected to be carried out until 2015.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy