HIPAA Phase 2 Audits Begin – Is Your Practice Compliant?

As a part of the continued efforts to measure the compliance with HIPAA privacy, security, and breach notification rules, The Office for Civil Rights (OCR) has begun implementing the HIPAA Phase 2 audits, the next phase in auditing the policies and procedures adopted and used by healthcare entities and their business associates.

These are crucial measures for the government to take in order to ensure that the business practices meet proper security standards to combat cybercrime activities.


The audit also will confirm that these practices are implemented in a transparent way according to the privacy, security, and breach notification rules.

Looking back at Phase 1 of this initiative, HIPAA established legal standards for the complete privacy and security for the health information of clients under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). This ensured that the entities practice a high level of transparency for the people whose information was at risk with the existing rules at that time. It requires the OCR to conduct occasional audits to ensure these rules are being applied in these places.

The pilot program was a massive success, and OCR has further developed their strategies and methods in the audit for Phase 2. Phase 1 serves as a foundation for OCR to do more effective audits, and this time, they have compiled a clear set of protocols stating how the compliance audit should be performed.

Some of the testing methods for the HIPAA Phase 2 audits which were mentioned in their email are as follows:


• 30-day period for completing a special online questionnaire for screening.

• Completing this pre-questionnaire is essential for all the companies, and failure to do so will result in bad reviews.

• While most of the questions are relatively easy, there are questions which need research before answering.

• After the completion of this questionnaire, the companies should be aware that they can be subjected to a random audit at any time.


These audits will be done for covered entities before the business associates due to the fact that the database of the associates is not fully identified yet, but as the audit progresses, these business associates will be eventually included.

Once you are selected for an audit, you need to respond within a short period time in order to submit any required documentation.

Therefore, it is advisable that organizations keep their HIPAA security related documentation up to date and ready to be reviewed at any time.

Making sure your documentations are genuine and truthful, along with always being transparent in your work, will ensure that both the company and the OCR officials will go through a pleasant experience within the compliance audit.

No other industry in America has more disclosed breaches than healthcare. Without dedicated security management, breaches do prevail and the security failure endangers patients and spurs investigations.

Business Information Solutions specializes in managing compliance with HIPAA privacy rules for hospitals and private practices. As your trusted technology partner and trained HIPAA consultant, we will audit your network, identify compliance gaps and create a remediation plan to ensure you are compliant and covered. Sign up for our FREE, no-obligation HIPAA Security Consultation today.

If you have comments or questions, please email


Phillip D. Long

Business Information Solutions, Inc.

For more information about Business Information Solutions please visit the BIS Website. BIS, Inc. provides Network Consulting, Proactive IT Support and Security Services for businesses in Gulfport and Biloxi, MS, Mobile, Daphne, Spanish Fort, Fairhope, and Foley, AL, and Pensacola, FL.

[code-snippet name=”disable-blog-featured-image”]