New OCR Guidance for Phase II HIPAA Audits

HHS Office for Civil Rights (OCR) recently issued guidance addressing its approach to the 2016 Phase II HIPAA Desk Audits. In its announcement of the guidance, OCR emphasized the broader applicability of these resources beyond just the 167 covered entities currently selected for Phase II Desk Audits, saying, “[t]he guidance should be helpful to audited entities as well as other covered entities and business associates seeking assistance with improving their compliance with these important requirements of the HIPAA Rules.” The insight provided in these documents may be especially useful to business associates in anticipation of the Business Associate Desk Audits which OCR has said will commence in late September of this year.

OCR provided this new guidance in three documents:

  • Selected Protocol Elements with associated document submission requests and related Q&As(“Protocol”);
  • Slides from audited entity webinar held July 13, 2016 (“Presentation”); and
  • Comprehensive question and answer listing (“Q&A”).


The Protocol includes sections for Audit Inquiry, Document Request List, and related Questions/Answers (excerpted from the Q&A document). The Audit Inquiries were excerpted from the general Phase 2 HIPAA Audit Program Audit Protocol, updated in April 2016 ; this further emphasizes the importance for covered entities and business associates of reviewing OCR guidance as it is issued and incorporating it into their ongoing compliance efforts.

The Document Request List gives additional insight into the kinds of documentation OCR considers necessary for compliance with the selected regulatory sections. Some items of particular note:

  • In the inquiry regarding Notices of Privacy Practices provided electronically, OCR requests to see “documentation of an agreement with the individual to receive the notice via e‐mail or other electronic form.” Although the cited regulation requires that an individual must agree to receive the Notice of Privacy Practices electronically, there is not an express requirement for the form that agreement must take. Thus, the request for “an agreement with the individual” underscores OCR’s emphasis on documentation.
  • Throughout the communications regarding the Phase II Audits, OCR has emphasized compliance with the Security Rule. In relation to the Security Management Process, the Protocol requests “documentation demonstrating the efforts used to manage risks from the previous calendar year,” and “documentation demonstrating the security measures implemented to reduce risks as a result of the current risk analysis or assessment. (Upload documentation demonstrating that current and ongoing risks [are] reviewed and updated.)” These requests highlight that OCR views risk assessment and management not as a one-time exercise, but rather as a continual, dynamic process responsive to changes in real time.


Some points of interest from the Presentation include that OCR anticipates that onsite audits will begin in early 2017, and may include both covered entities that were subject to the Desk Audits, as well as newly selected covered entities not previously part of the Desk Audit process. Notification of these onsite audits is expected in late fall. OCR also noted in the Presentation that the onsite audits will evaluate auditees against a comprehensive set of HIPAA compliance controls, suggesting that onsite audits may not be limited in scope in the same way as the Desk Audits.


The Q&A document primarily contains questions and answers directly related to the Desk Audit process itself, while also providing helpful insight to business associates in anticipation of the upcoming Business Associate Desk Audits. The document also offers a more general understanding of what OCR considers appropriate documentation to support requests. For example, in response to the question “Do[es OCR] wish to receive pictures of the Notices [of Privacy Practices] hanging on the walls in addition to receiving the uploaded paper copies?” OCR responded, “Yes. Please ensure the text is readable.” Another example of the specificity and detail OCR is expecting in supporting documentation comes in answer to the question, “[Audit Item] P65 Right to Access – If the access request is from a personal representative on behalf of the patient, are we required to submit documentation proving the personal representative’s authority?” OCR responded, “P65 requires all documentation related to the specified access requests. That would include documentation of personal representative status when such status is relevant to the handling of the request.”


OCR’s newly released guidance documents, as well as the full 2016 Audit Protocol and other guidance available on OCR’s website, are important tools for covered entities and business associates to use in reviewing and strengthening their compliance with HIPAA. Although OCR has indicated that the Phase II Audits are a “compliance tool,” multiple recent high-dollar settlements and Resolution Agreements—with covered entities and business associates alike—give an indication of the direction OCR is trending regarding enforcement of HIPAA compliance.

To review the entire document and formatting for this alert (e.g., footnotes), please access the original below: