The Department of Health and Human Services (HHS) has launched the second phase of its HIPAA audit program, which focuses on compliance with HIPAA’s Privacy, Security and Breach Notification Rules.
This phase affects covered entities and business associates. If an audit reveals a serious compliance issue, HHS’ Office for Civil Rights (OCR) may investigate. The entities selected for an audit will have 10 business days to submit the requested information, and another 10 business days to respond to draft findings.
Covered entities and business associates should still prepare for a possible audit by reviewing their compliance with HIPAA’s Privacy, Security and Breach Notification Rules.
Communications from OCR will be sent via email and may be incorrectly classified as spam, so OCR expects covered entities and business associates to check their spam folders for emails from OSOCRAudit@hhs.gov. An entity that does not respond to OCR may still be selected for an audit or be subject to a compliance review.