877.334.8512 |      

EHR and practice management for mental / behavioral health

2016 HIPAA Audits Part 9: The Audits Are Coming! The Audits Are Coming!

PIMSY mental health practice management software shares part 9 of HIPAA 2016 series: the audits are coming

by Donna Koger, 7.26.16

The Office for Civil Rights (OCR) has released new HIPAA Audit Protocol for Phase 2 audits and Business Associate Listing Template for Covered Entities. As OCR says, “Selected auditees will be requested to provide detailed information regarding their Business Associates.”

The biggest change to the audit protocol is that OCR has updated what’s required of Business Associates (BAs) versus what’s required of Covered Entities (CEs). The guidance is extensive and covers each type of audit along with precisely what action needs to be taken and by whom. Covered Entities and Business Associates have already begun being notified via email of their potential inclusion in Phase 2. 

What Is The Phase 2 Audit Program?

As of March 22, 2016, the Office for Civil Rights (OCR) has officially begun their Phase 2 HIPAA Privacy, Security, and Breach Notification Audit Program. These Phase 2 audits are only a precursor to the permanent audit program that OCR is planning to release within the coming years. However, gathering information now is a proactive step to keep your organization out of trouble and maintain the integrity of your reputation.

What Do They Want?  

According to OCR, the 2016 Phase 2 HIPAA Audit Program will review policies and procedures adopted and employed by Covered Entities and their Business Associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

During 2011 and 2012, the Phase 1 audits showed a shocking pattern of non-compliance with only 11% of Covered Entities audited showing no deficiencies in their compliance. Understanding what is required of you, whether Covered Entity or Business Associate, should be a priority among potential auditees.

Who Will Be Audited? 

OCR has included explicit provisions in their Phase 2 audits to include both CEs and BAs in their program this time around, saying that “every covered entity and business associate is eligible for an audit.”

They are looking for Covered Entities and Business Associates that vary in size, operation, and location. OCR will look at a wide range of potential auditees to attain a broad analysis of HIPAA compliance across the health care industry.

If a Covered Entity or Business Associate is chosen to be a part of the group of potential auditees, they can expect the process to follow a fairly simple route, outlined below: 

Round 1 – Email Contact and Questionnaire 

     • Covered Entities will receive an email from OCR to verify their contact information
     • Covered Entities will fill out a questionnaire from OCR to assess their size, scope, and operations
     • Covered Entities will be asked to compile a list of all of their Business Associates with contact information
     • Failure to respond will not exclude a Covered Entity from potentially being audited; OCR will simply use publicly available information

Round 2 - Business Associates 

     • Business Associates will be contacted in the same manner as Covered Entities
     • Business Associates will likely be asked to provide a list of subcontracted BAs who also deal with Covered Entities
     • Failure to respond will not exclude a Business Associate from potentially being audited; OCR will simply use publicly available information

Round 3 - Notification, Selection, and Desk Audits 

     • If a CE or BA is chosen for a desk audit, OCR will notify the organization via letter explaining the audit process and expectations
     • OCR will likely request certain documents from CEs and BAs
     • CEs and BAs will need to respond to the letter and provide any requested documents within 10 days
     • OCR will review requested documents and submit a draft report to CEs and BAs
     • CEs and BAs will need to review and respond to OCR’s report within 10 days
     • Final audit reports will be completed and delivered by OCR within 30 days of receiving responses

Round 4 - Onsite Audit 

     • CEs and BAs may also be selected for onsite audits via notification from OCR
     • OCR will conduct an entrance conference, explaining the audit process and expectations
     • Onsite audits will be conducted over the course of three to five days
     • OCR will provide a report to audited CEs or BAs within 10 days
     • CEs and BAs will need to review and respond to OCR’s report within 10 days
     • Final audit reports will be completed and delivered by OCR within 30 days of receiving responses

Round 5 - Post-Audit Follow Up 

     • OCR will use audit reports to assess the types of assistance and corrective action they should provide going forward
     • However, if an audit reveals a serious breach in compliance, OCR will likely decide to investigate the CE or BA further through a full compliance review

For more information on the updated Audit Protocol, see The Health & Human Services (HHS) website at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html

Sources Include 


More Information

Find more complimentary resources in our HIPAA Resource Center.
Related Posts:
Part 1: What's on the Horizon?
Part 2: Into the Breach
Part 3: PHI Identifiers
Part 4: 10 Steps to Compliance
Part 5: Where's Your PHI Data?
Part 6: HIPAA Crash
Part 7: 5 Steps to Take After a Data Breach
Part 8: All About the BAA





Donna Koger is currently the HIPAA Compliance Officer and materials developer for software training and support at Smoky Mountain Information Systems, home of PIMSY EHR. Ms. Koger is also a regular contributor to the PIMSY EHR Blog.

Kudos from Clients

  • Seth H.

    “PIMSY more than pays for itself by streamlining my office, improving efficiency and reducing billing times. I would recommend PIMSY to anyone looking for a good EMR company that will help you implement its program and help you with any questions you have along the way.”

    ~ Seth H., Business Owner

  • Karen B.

    “Love PIMSY! So much quicker to complete notes and easier for everyone working with clients to know current authorizations and track units.”

    ~ Karen B., Therapist

  • Dr. Carmen L.

    “I am extremely appreciative and am so glad I decided to go with PIMSY versus the other options I was considering. I was singing your praises to a colleague of mine today who is feeling overwhelmed with her paper process. I highly recommend all of you.”

    ~ Dr. Carmen L., Program Director

  • Kim T.

    “We are now functioning at a 50% faster recovery rate for money and a 50% lower denial rate. You should really give the PIMSY team time to demonstrate for you personally.”

    ~ Kim T., Business Director

Subscribe To Our Newsletter

Subscribe to the PIMSY newsletter
What topics are you most interested in?