OCR’s Privacy, Security, and Breach Notification Audit Program:

Although the ever-expanding use of health information technology in health care provides many benefits, in turn it poses new risks to consumer privacy. To ensure HIPAA compliance, HITECH requires HHS to perform periodic audits of covered entities and business associates.

In 2011 and 2012, OCR conducted a pilot audit program of 115 covered entities who were randomly selected to cover the broad range of healthcare-associated covered entities. OCR is now implementing Phase 2 of the program, which will audit both covered entities and business associates. As part of this program, OCR is developing enhanced protocols for the next round of audits and pursuing a new strategy to test the efficacy of desk audits in evaluating HIPAA compliance efforts. Feedback regarding the protocol can be submitted to OCR.

Phase 2 of OCR’s HIPAA audit program is currently underway. OCR has already begun to obtain and verify contact information to identify covered entities and business associates of various types and determine which are appropriate to be included in potential auditee pools. Communications from OCR will be sent via email and may be incorrectly classified as spam.

If your entity’s spam filtering and virus protection are automatically enabled, covered entities are expected to check their junk or spam email folder for emails from OCR.

Every covered entity and business associate is eligible for an audit and is expected to provide full cooperation and support in accordance with the HIPAA Enforcement Rule.

Sampling criteria for this phase of the audit program will include size, private or public, affiliation with other healthcare organizations, type, geographic factors, and present enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

Once entity contact information is obtained, a questionnaire will be sent to covered entities. Selected auditees will then be notified of their participation.  If a covered entity or business associate fails to respond to information requests, OCR will use publicly available information about the entity to create its audit pool. An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

The first set of audits will be desk audits of the covered entities followed by another round of desk audits of business associates, examining compliance with specific requirements of the Privacy, Security, or Breach Notification Rules.  Auditees will be notified of the subject(s) of their audit in a document request letter.  All desk audits in this phase will be completed by the end of December 2016. The third set of audits will be on-site to examine a broader scope of requirements.

Audited entities will submit documents on-line via a new secure audit portal on OCR’s website. There will be fewer on-site visits in Phase 2.  Auditees may respond to draft findings and their written responses will be included in the final audit report.  Audit reports generally describe how the audit was conducted, discuss any findings, and contain entity responses to the draft findings.

In the coming months, OCR will notify the selected covered entities in writing through email about their selection for a desk audit. OCR expects the selected auditee to submit requested information via OCR’s secure portal within 10 business days of the date on the information request. All documents are to be in digital form and submitted electronically via the secure online portal.  Upon receipt of these documents, the auditor will review them and provide draft findings to the auditee.

For on-site audits, notification will also be sent via email. Each on-site audit will be conducted over 3 to 5 days. On-site audits will be more comprehensive than desk audits.

For both desk and on-site audits, auditees will have 10 business days to review and return any written comments to the auditor in response to the draft findings. The auditor will complete a final audit report for each entity within 30 business days after the auditee’s response. OCR will share a copy of the final report with the audited entity.

From these audit findings, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.

Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate.  OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits upon request by the public. In the event OCR receives such a request, they will abide by the FOIA regulations.

During the audit process, OCR will continue to accept complaints from individuals and to launch compliance reviews where warranted; compliance obligations of covered entities and business associates remain in full effect.

The scope of the audit program does not extend beyond the Privacy, Security, and Breach Notification Rules.

HHS is responsible for the on-site auditors. Neither covered entities nor their business associates are responsible for the costs of the audit program.


The 2016 Work Plan from the OIG offers risk managers insight into what areas of compliance and potential liability will be the hot topics this year. The Work Plan is broken down into many sections so that risk managers can focus most on the part of the plan that directly affects their type of healthcare organization.

Per Bart Walker, JD, a partner with the law firm of McGuire-Woods in Charlotte, NC, “OIG looks at what’s going on in healthcare each year and comes up with this plan that says ‘there are a hundred or so areas where we think there’s some smoke, if not fire. This is the leading edge in terms of what they’re looking at.”