Skip to main content
A Better Partnership


Mar 2016
March 30, 2016

Check Your Email: HIPAA 2016 Phase 2 Audits Are Underway

Last week the U.S. Department of Health and Human Services Office for Civil Rights (OCR) launched Phase 2 of its HIPAA compliance audits, and this time around every covered entity and business associate, no matter its size or function, is eligible for an audit. Check your spam folders: OCR has started sending initial emails to verify contact information for potential auditees, and organizations only have fourteen days to respond to the OCR’s information request (click here to view a sample OCR email). Failure to respond may result in OCR using publicly available information about your organization to create its audit pool.    

Receiving an email at this stage does not mean OCR has selected your organization for an audit, but from the responses it receives OCR will create a pool of organizations for Phase 2 audits. These audits will target implemented policies and procedures, likely with a sharp focus on business associate agreements. The first set of audits will be desk audits for covered entities, followed by a second set of desk audits for business associates. If your organization is selected for a desk audit, you will be notified by email and must submit the requested information to OCR within ten business days of the notification. A third set of audits will be conducted onsite and will cover a broader scope of requirements from the HIPAA rules than desk audits. It is anticipated that the results of a desk audit may trigger a subsequent onsite audit and potential investigations if deficiencies are uncovered.  

How to Prepare

Due to the tight deadlines imposed by OCR, we recommend that you take the steps below to prepare yourself for a potential audit:
  • Check your spam and junk folder. Determine the person or persons at your organization OCR is most likely to identify as the "primary contact," and notify them to diligently monitor for OCR communication. OCR audit-related emails will be sent from, and OCR expects you to check your spam and junk mail folders for its emails.
  • Prepare a list of your business associates. In the pre-audit screening process, OCR will ask for a list of business associates. OCR encourages covered entities to prepare a list in advance for responding to this request. Ensure their contact information is up to date.
  • Review the Phase 1 audit protocol. OCR has not yet posted updated audit protocols for Phase 2, but the Phase 1 audit protocol remains available here. Working through the protocol is a good way to evaluate your current level of compliance.
  • Prepare your audit response team. Identify and assemble an audit team who can quickly respond to information requests and gather the documents OCR will likely request should you be selected for an audit.
  • Be alert for potential scams. Be careful when opening purported communication from OCR, as there is always the potential for phishing and malware attacks under guise of such communications.  
Further information about the Phase 2 audit process is available on OCR’s website. If you have any questions about the Phase 2 audit process or HIPAA compliance generally, please contact Norbert F. Kugele (616.752.2186 or, Kelly Hollingsworth (616.752.2714 or, or any other member of the Data Solutions Practice Group at Warner Norcross & Judd LLP.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -