877.334.8512 |      

EHR and practice management for mental / behavioral health

2016 HIPAA Audits Part 10: OCR Phase 2 - Is HIPAA Coming For You?

PIMSY mental health practice management software shares part 10 of HIPAA 2016 series: is HIPAA coming for you?

by Donna Koger, 12.7.16

As most of you already know, on March 21, 2016, OCR announced "Phase 2" of its audit program. Some providers have already received emails asking for updated contact information so OCR can effectively communicate with the entities selected for an audit.

Failure to respond will not protect you from being included in the audit program, so it is important to check email spam filters to make sure that an email has not been held up in delivery.

OCR intends to audit a broad spectrum of covered entities and business associates of various sizes, types and locations. However, OCR will not include entities with an open complaint investigation or compliance review. And, even though more stringent state laws that are contrary to HIPAA preempt HIPAA's provisions, OCR has indicated that its audit program will not consider state-specific privacy and security rules.

Covered entities will be asked to provide to OCR a list of business associates, who then could become potential audit targets. The best thing to do is prepare a list now of your business associates, their service(s) and contact information. OCR has published a list of 27 elements for each business associate.

Required Elements for Each Business Associate:

1. Business Associate Name
2. Type of Service(s) provided
3. First Point of Contact Title
4. First Point of Contact First Name
5. First Point of Contact Last Name
6. First Point of Contact Address
7. First Point of Contact Address Continued (if needed)
8. First Point of Contact City
9. First Point of Contact State
10. First Point of Contact Zip
11. First Point of Contact Phone
12. First Point of Contact Phone Extension (if needed)
13. First Point of Contact Fax
14. First point of Contact Email
15. Second Point of Contact Title
16. Second Point of Contact First Name
17. Second Point of Contact Last Name
18. Second Point of Contact Address
19. Second Point of Contact Address Continued (if needed)
20. Second Point of Contact City
21. Second Point of Contact State
22. Second Point of Contact Zip
23. Second Point of Contact Phone
24. Second Point of Contact Phone Extension (if needed)
25. Second Point of Contact Fax
26. Second point of Contact Email
27. Website URL

Covered entities and business associates will have only 10 business days to respond to audit requests. A final audit report will be completed within 30 business days after the auditee responds. Depending on the results of the audit, OCR may initiate a compliance review which could lead to enforcement action.

If you have conducted a Security Risk Analysis that includes a section on Disaster Recovery, you should already have prepared a list such as the one above. If not, you should begin that process ASAP in case of an audit. See The Audits Are Coming! The Audits Are Coming! for more details.

Sources Include


More Information

Find more complimentary resources in our HIPAA Resource Center.
Related Posts:
Part 1: What's on the Horizon?
Part 2: Into the Breach
Part 3: PHI Identifiers
Part 4: 10 Steps to Compliance
Part 5: Where's Your PHI Data?
Part 6: HIPAA Crash
Part 7: 5 Steps to Take After a Data Breach
Part 8: All About the BAA
Part 9: The Audits Are Coming! The Audits Are Coming!





Donna Koger is currently the HIPAA Compliance Officer and materials developer for software training and support at Smoky Mountain Information Systems, home of PIMSY EHR. Ms. Koger is also a regular contributor to the PIMSY EHR Blog.

Kudos from Clients

  • Seth H.

    “PIMSY more than pays for itself by streamlining my office, improving efficiency and reducing billing times. I would recommend PIMSY to anyone looking for a good EMR company that will help you implement its program and help you with any questions you have along the way.”

    ~ Seth H., Business Owner

  • Karen B.

    “Love PIMSY! So much quicker to complete notes and easier for everyone working with clients to know current authorizations and track units.”

    ~ Karen B., Therapist

  • Dr. Carmen L.

    “I am extremely appreciative and am so glad I decided to go with PIMSY versus the other options I was considering. I was singing your praises to a colleague of mine today who is feeling overwhelmed with her paper process. I highly recommend all of you.”

    ~ Dr. Carmen L., Program Director

  • Kim T.

    “We are now functioning at a 50% faster recovery rate for money and a 50% lower denial rate. You should really give the PIMSY team time to demonstrate for you personally.”

    ~ Kim T., Business Director

Subscribe To Our Newsletter

Subscribe to the PIMSY newsletter
What topics are you most interested in?