HIPAA Phase 2 Audit: What To Do Now

Don't Forget these To Do Items

Hopefully your organization has been following the regular updates from OCR on the HIPAA audit process. But in case you need a refresher, some key to-do items are listed below:

Ensure that OCR’s emails are not being routed to your spam or junk email folder.

OCR has stated that it will be sending audit related emails from OSOCRAudit@hhs.gov and that it expects Covered Entities and Business Associates to check spam and junk mail folders for correspondence from the agency. Failure to respond to OCR’s emails won’t get an entity off the hook for an audit; the agency plans to use publicly available information about entities that do not respond and include them in the audit pool.

Prepare a list of your business associates

In the pre-audit screening process, OCR will ask for a list of business associates. The agency encourages Covered Entities to prepare a list in advance for responding to this request.

Review the Phase 1 Audit Protocol

OCR has not yet posted updated audit protocols for Phase 2, but the Phase 1 audit protocol remains available on the OCR website. Even if your organization is not selected for an audit, working through the protocol is a great way to evaluate your compliance.

Ensure you have an audit response ready

As noted above, Covered Entities and Business Associates will have only 10 business days to respond to OCR’s request for documentation. They will also have only 10 business days to review the auditor’s draft findings. Assemble your audit team (and your documents) in advance.

Review the audit information on OCR’s website

Further information about Phase 2 is available here


Have questions? I’m here to help.