The U.S. Department of Health and Human Services has begun the next phase of HIPAA audits of covered entities and business associates to assess compliance. This phase will involve both desk audits reviewing policies and procedures as well as some on-site audits. The audits will focus first on covered entities and then business associates. Entities selected will be notified by email and given timeframes to respond to requests and review findings. The audits are expected to have a focus on business associates and covered entities' oversight of business associates through business associate agreements.

1. FISHERBROYLES.COM
TH E NE XT GE N E R AT IO N LA W FI RM ®
HIPAA 2016 Audits Phase 2: Covered Entities and Business
Associates Take Notice
PRACTICE AREA / INDUSTRY: HEALTHCARE; WHITE COLLAR LITIGATION &
GOVERNEMENT INVESTIGATIONS
Brian E. Dickerson Anthony J. Calamunci
brian.dickerson@fisherbroyles.com anthony.calamunci@fisherbroyles.com
202.570.0248 419.376.1776
Nicole Hughes Waid
nicole.waid@fisherbroyles.com
202.906.9572
March 22, 2016
As part of its continued effort to assess compliance with the HIPAA Privacy, Security and Breach Notification
Rules, the U.S. Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) announced
yesterday that it has begun its next phase of audits of covered entities and their business associates. In the
2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures of covered entities and
their business associates through desk audits however, some on-site audits will also be conducted.
This second phase of audits follows OCR’s 2011-2012 pilot program of 115 entities. From the data collected
and results achieved, OCR developed enhanced protocols to be used in the 2016 Phase 2 HIPAA Audit
Program, including a new strategy to test the efficacy of desk audits in evaluating compliance with privacy,
security and breach notification rules. OCR is identifying pools of covered entities and business associates
that represent a wide range of health care providers, health plans, health care clearinghouses and business
associates. OCR will not audit entities with an open complaint investigation or that are currently undergoing a
compliance review.
The first desk audits will be for covered entities, followed by a second round of desk audits of business associates.
All desk audits in this phase will be completed by the end of December 2016. A third set of audits will be onsite

2. FISHERBROYLES.COM
TH E NE XT GE N E R AT IO N LA W FI RM ®
and will cover a broader scope of requirements from the HIPAA Rules than desk audits. It is anticipated that results
from desk audits may trigger a subsequent onsite audit and potential investigations if deficiencies are uncovered.
The audits are underway to review the policies and procedures of covered entities, beginning with an email
notification requesting contact information from OCR. Click here to view a sample email. The emails will originate
from OSOCRAudit@hhs.gov and if your entity’s spam filtering and virus protection are automatically enabled, OCR
expects you to check your junk or spam folders for their email. Failure to respond to the notification email may
result in OCR using publicly available information to create its audit pool, thus a desk or onsite audit notification
may not reach the appropriate company representative in a timely fashion. OCR will create a pool of targets for
desk and onsite audits from the responses to the initial emails.
If your entity is chosen for a desk audit, requested information must be submitted electronically within 10 business
days of the request. OCR will provide draft findings and auditees will have 10 days to review and return written
comments. Similarly, entities chosen for onsite audits will also receive an email notification. OCR will schedule
an entrance conference to provide more information about the process and onsite audits will be conducted over a
3-5 day period, depending upon the size of the entity. Entities will have 10 business days to review draft findings
and provide written comments to the auditor. OCR will complete and provide a final audit report within 30 business
days.
As we have advised in our recent client alerts regarding HIPAA enforcement trends, we believe the 2016 Phase 2
HIPAA Audit Program will have a keen focus on business associates and covered entities’ Business Associate
Agreements (“BAAs”). Business associates have been covered by HIPAA only since 2013, therefore compliance
with the HIPAA Privacy, Security and Breach Notification Rules may not be as robust or as fully vetted as required
by OCR. Business associates that conduct third-party billing, data analysis, storage and management, as well as
the covered entities who have BAAs with these vendors, are particularly vulnerable to being a target of OCR audits.
Covered entities and business associates must exercise due diligence in reviewing their HIPAA compliance
programs and conducting system wide audits of their PHI safeguards to identify and update areas that may have
vulnerability and could put personal health information at risk.
For further information on the subject matter of this alert, please contact the following FisherBroyles attorneys:
Brian E. Dickerson
brian.dickerson@fisherbroyles.com
202.570.0248
Nicole Hughes Waid
nicole.waid@fisherbroyles.com
202.906.9572
Anthony J. Calamunci
anthony.calamunci@fisherbroyles.com
419.376.1776