Pre-audit screening surveys mailed for Phase 2 HIPAA Audits

Wednesday, May 27, 2015

The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has transmitted HIPAA pre-audit screening surveys to covered entities that may be selected for a second phase of HIPAA compliance audits.

OCR is required to conduct compliance audits of covered entities and business associates under the 2009 HITECH Act. This round, tt is believed that only 800 surveys were distributed, with the goal of selecting several hundred covered entities and approximately 50 business associates for audit. 

Unlike the 150 pilot audits of HIPAA covered entities conducted in 2011 and 2012 (Phase 1 Audits), which exclusively focused on covered entities (see Phase 1 audit protocol), OCR is conducting Phase 2 Audits of both covered entities and business associates. The Phase 1 audit program was outsourced to the KPMG auditing firm and required extensive onsite activities by the auditors.

The Phase 2 Audit program will focus on areas of greater risk to the security of protected health information (PHI) and pervasive non-compliance based on OCR’s Phase I Audit findings and observations, rather than a comprehensive review of all of the HIPAA Standards.

The Phase 2 Audits also are intended to identify best practices and uncover risks and vulnerabilities that the OCR has not identified through other enforcement activities.  It is believed that Phase 2 audits will be primarily remote in nature with little to no onsite activities by auditors.  OCR will use the Phase 2 Audit findings to identify technical assistance that it should develop for covered entities and business associates to ensure privacy & security of protected health information.  In circumstances where an audit reveals a serious compliance concern, OCR may initiate a compliance review of the audited organization that could lead to civil money penalties.

OCR had previously planned to issue the pre-audit screening surveys in the summer of 2014, but postponed their release until it completed its implementation of a new web portal that will be used for the submission of audit-related materials.

If you receive a pre-audit survey and wish to discuss its submission with a PHA security advisor you may contact George Bailey, Senior Advisor at or (765) 494-7538.

Writer: George Bailey, 765-494-7538,

Tags: Health IT Security

Purdue University, West Lafayette, IN 47907 (765) 496-1911

© 2014 Purdue University | An equal access/equal opportunity university | Copyright Complaints

If you have trouble accessing this page because of a disability, please contact Purdue Technical Assistance Program