HIPAA Audit, HIPAA Risk Assessment, HITECH Audit, HITECH Risk Assessment, HIPAA/HITECH Audit, HIPAA/HITECH Risk Assessment, HIPAA/HITECH Compliance, HIPAA Compliance, HITECH Compliance, HIPAA/HITECH Security, HIPAA Security, HITECH Security

Preparing for the HHS OCR Phase 2 Audits

by: Mitchell H. Levine, CISA - Audit Serve, Inc.     


The level of commitment made by an organization to comply with a regulatory requirement unfortunately in many cases is dependent on the likelihood that they will be audited.    When the HHS Office for Civil Rights (OCR) announced on March 21, 2016 that they were proceeding with Phase II audits (i.e., starting initially with 167 desk audits in which the covered entities were notified July 11th, this served as a call to action for those organizations that have not implemented the necessary controls and processes.   These desk audits along with second stage of onsite audits to commence in 2017l has started a “mad scramble”  in the health care industry to firm up the privacy, security and breach handling controls required to meet the HIPAA/HITECH requirements.   Unlike the Phase 1 audits which only targeted 115 covered entities which were completed December, 2012, the Phase II audits will also be selecting Business Associates.  The ruling from January 2013 placed Business Associates on par with Covered Entities in regards to the Security, Privacy and Breach notification controls they needed to establish.  The sample selection of the Business Associates is being derived from the Covered Entity audits performed in the past so it will be apparent to those Business Associate organizations which provide key services to the Covered Entity industry that they will be most likely included in the scope of the Phase 2 OCR audits. 

The number of Phase II audits announced for the 2016-17 period seems modest (200+desk audits and an undetermined number of on-site audits) but it is expected that the number of audits will increase in future years since the source of this new OCR audit initiative was based on the September, 2015 HHS OIG report recommending that OCR should strengthen oversight of its CE compliance with the HIPAA privacy standards.  As the report conclusions stated “OCR oversight is primarily reactive; it investigates cases in response to complaints, tips or media reports.  It has not yet fully implemented the required audit program”

Although 167 initial desk audits initially announced seems very few, OCRs creation of a portal for organizations being audited to upload the deliverables which support their compliance to targeted security, privacy and breach notification controls provides a basis for OCR to ramp up number of these types of audits they can conduct in 2017 and beyond.  OCR original mandate to conduct oversight audits derived from the 2010 HITECH regulations.

OCR has published the deliverable list which translates into the controls that an organization needs to establish as part of a desk audit.  These deliverables pertain to 7 key controls selected from the Security, Privacy rule and Breach Notification rules.

  • Patient privacy notices
  • Privacy notices posted on websites
  • Access Provision controls which includes the review of a sample number of access requests that were processed
  • Past and current annual risk assessments performed to identify threats and vulnerabilities related to the CIA impact types
  • Policies and procedures related to Risk Management
  • Breach handling and notification which includes the requirement to upload all information relating to incidents that fall below the 500 impacted threshold that OCR will surely review to ensure the new Risk Assessment requirements issued January, 2013 were properly adopted


Upcoming Audit Serve GDPR Seminar entitled Assessment, Implementation and Auditing Approaches 


April 11th Greater Hartford ISACA & IIA Southern NE Chapter Hartford, CT

April 16 – 17 Chicago ISACA Chapter Chicago 

April 24th Detroit ISACA Chapter Novi MI (near Detroit)

April 26th Kansas City ISACA Chapter Overland Park, KS (Near KC)

May 1st NY Metro ISACA Chapter Manhattan

May 3rd Middle Tennessee ISACA Chapter Nashville

May 15th Vancouver ISACA & IIA Chapters  Vancouver
May 17 - 18  Cincinnati ISACA Chapter  Cincinnati  registation to open April 15th


In regards to the preparation for the onsite audits, OCR has published an audit program in which OCR will select a sample number policies and procedures adopted to meet the Privacy, Security, and Breach Notification Rules.  There are several hundred policies and procedures referenced in the OCR audit program which require organization to establish many additional policies and procedures.  However, as part of the OCR Audit Program it is apparent they are will be conducting compliance test to validate that the procedures have been adopted and controls are working effectively.  It is apparent from the Audit Program that the focus of this audit relates to the HIPAA Security and Privacy rules but it does include the most recent Risk Assessment processes that were required to be established to meet the HIPAA/HITECH rules issued January, 2013.


Mitchell Levine, CISA, Founder and President of Audit Serve Inc. and his consulting team  conducts Risk Assessments of Covered Entities and Business Associate organizations to determine whether a control structure has been established to meet the requirements included in the scope of the OCR Phase II audits.   Contact Mr. Levine Levinemh@auditserve.com for addirtional information.


AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.