Skip to Main Content
Publications | March 30, 2016
3 minute read

Check Your Email: HIPAA 2016 Phase 2 Audits Are Underway

Last week the U.S. Department of Health and Human Services Office for Civil Rights (OCR) launched Phase 2 of its HIPAA compliance audits, and this time around every covered entity and business associate, no matter its size or function, is eligible for an audit. Check your spam folders: OCR has started sending initial emails to verify contact information for potential auditees, and organizations only have fourteen days to respond to the OCR’s information request (click here to view a sample OCR email). Failure to respond may result in OCR using publicly available information about your organization to create its audit pool.    

Receiving an email at this stage does not mean OCR has selected your organization for an audit, but from the responses it receives OCR will create a pool of organizations for Phase 2 audits. These audits will target implemented policies and procedures, likely with a sharp focus on business associate agreements. The first set of audits will be desk audits for covered entities, followed by a second set of desk audits for business associates. If your organization is selected for a desk audit, you will be notified by email and must submit the requested information to OCR within ten business days of the notification. A third set of audits will be conducted onsite and will cover a broader scope of requirements from the HIPAA rules than desk audits. It is anticipated that the results of a desk audit may trigger a subsequent onsite audit and potential investigations if deficiencies are uncovered.  

How to Prepare

Due to the tight deadlines imposed by OCR, we recommend that you take the steps below to prepare yourself for a potential audit:

    Further information about the Phase 2 audit process is available on OCR’s website. If you have any questions about the Phase 2 audit process or HIPAA compliance generally, please contact Norbert F. Kugele (616.752.2186 or, Kelly Hollingsworth (616.752.2714 or, or any other member of the Data Solutions Practice Group at Warner Norcross & Judd LLP.