« Previous page

HIPAA Phase II Audits Now In Full Swing

HIPAA Phase II Audits Now In Full Swing

July/August 2016


The Department of Health and Human Services first unveiled HIPAA's Privacy Rule on December 28, 2000, during the waning days of the Clinton administration. Since then, additional legislation and regulations have covered HIPAA's Security and Breach Notification rules, culminating in an Omnibus Final Rule issued on January 25, 2013.

HHS, through the Office of Civil Rights, has spent the last several years developing a comprehensive audit process designed to monitor HIPAA compliance. It began with a Phase I pilot program during 2011-12 during which 15 lucky "covered entities" were selected to participate in what amounted to a Beta version of OCR's audit program.

Having presumably worked out the bugs in this process through Phase I, OCR announced in March 2016 that it was launching its Phase II audit process directed to both covered entities and their business associates. Here's how OCR described the timetable for its audits in Phase I, which carries over substantially unchanged in Phase II, the main difference being that Phase II will consist of a substantial number of "desk audits" in addition to onsite audits:

OCR sent out its first wave of audit letters to covered entities on July 11, 2016, reproduced below, with more letters to be directed to business associates this fall.

Note that a failure to respond to this letter to confirm a covered entity's contact information will not shield it from audit-that would be too easy.

I was curious about the protocol that OCR has developed for conducting HIPAA audits, so I downloaded and printed it. Only then did I discover that I had unleashed a 419-page monster that goes through the audit process in mind-numbing detail.

The bottom line: if you sponsor a health plan for your employees, your plan is a "covered entity" subject to these audits. So are your "business associate" third-party service providers who handle protected health information in the administration of your plan. The audit protocol places a heavy emphasis on written documentary evidence of compliance with HIPAA's privacy, security and breach notification requirements. This documentation goes well beyond the plan document and service provider agreements to include detailed written policies and procedures.

We have developed a gap assessment tool designed to get you and your plan compliant in advance of any audit. You may assume that your services providers have taken care of these details-after all, that's what you're paying them for, right? You can test this assumption by glancing at the audit protocol and asking yourself where you would find the documentation requested during the ten days allotted for you to produce it in an audit.

Our private audit is designed to provide you the tools and documentation you will need if you are audited. And, lest we forget in the chaos and expense of the regulatory burdens associated with employer-sponsored health care coverage, you should also take comfort knowing that at the end of our audit, you will have a "healthy" plan that provides an essential benefit to your most valuable asset-your employees.

Doug Powers limits his practice to employee benefits compliance and litigation. He is currently the President of the Great Lakes Tax Exempt and Government Entities Council, one of five regional councils that regularly advise the Internal Revenue Service on benefits issues. He may be reached at 260.422.0800 or at

At the center

Beckman Lawson, LLP
201 West Wayne Street
Fort Wayne, IN 46802

Phone: 260-422-0800
Fax: 260-420-1013