On Monday, March 21, 2016, the Health and Human Services Office for Civil Rights (“OCR”) began the long-awaited Phase II of OCR’s random audit program to determine compliance with the patient privacy provisions included in the Health Insurance Portability and Accountability Act (“HIPPA”). As we discussed earlier here, these audits will extend beyond simply covered entities and will also include business associates.

Covered entities and business associates will receive an email from OCR entitled “Audit Entity Contact Verification.”  This email simply allows OCR to verify contact information—receipt of this email does not mean that your organization is necessarily going to be audited.  After confirming contact information, OCR will create an audit pool; actual audits will begin in a few months.  Speaking at a PHI Protection Network Conference last week, an OCR representative stated that OCR expects to audit approximately 150 covered entities and 50 business associates in 2016.  Audit protocols will be released on the OCR website later this year, prior to the date audits begin.

OCR will be looking for “serious compliance issues” that may trigger further investigation, with possible financial penalties.  Audit findings will also be used to develop new guidance and policies aimed at strengthening adherence to HIPAA rules.