News Archive

Are you ready for an audit?

April 29, 2016

Keep your eyes out for an e-mail from Uncle Sam.

The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) is gearing up its efforts to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA), and has begun its next phase of audits focused not only on covered entities but also their business associates.

OCR says these audits will help them identify best practices and proactively uncover and address risks and vulnerabilities to protected health information.

This round of audits will include reviews of the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security and Breach Notification Rules. They will primarily be desk audits, although some on-site audits will be conducted.

The audits will begin with an e-mail from OCR, requesting contact information. OCR will then transmit a pre-audit questionnaire to gather data about the size, type and operations of potential auditees. This data will be used with other information to create potential audit subject pools.

Make sure to check your e-mail system's junk folder, as OCR warns their initial e-mail may be incorrectly classified as spam by your computer's web filtering or anti-virus software.

If an entity does not respond to OCR's request to verify its contact information or pre-audit questionnaire, OCR will use publicly-available information about the entity to create its audit subject pool. Therefore, an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review. OCR says it will use the audits to develop tools and guidance to assist the industry in compliance, self-evaluation and in preventing breaches. OCR will evaluate the results and procedures used in the phase two audits to develop their permanent audit program.

Texas covered entities and their business associates can streamline an OCR audit and demonstrate evidence of their security risk assessment by obtaining this information from an objective third party, such as the state's SECURETexas certification offered by the Texas Health Services Authority (THSA). In addition to simplifying an OCR review, the certification scorecard can serve as objective third-party evidence of an entity's history of prior compliance with the HIPAA administrative simplification provisions — a factor that the HHS secretary must consider in any action brought against a HIPAA-covered entity for an alleged violation of HIPAA. A SECURETexas certification also serves as a mitigating factor for any penalties brought under state law.

THSA will continue to monitor any news on OCR's efforts and keep you apprised.

To learn more about OCR's Phase 2 Audit program, visit 

To learn more about SECURETexas, visit 

Follow OCR on Twitter at