As part of continued efforts by the U.S. Department of Health and Human Services (HHS) to measure and evaluate HIPAA compliance among covered entities and their business associates, the HHS Office for Civil Rights (OCR) has begun phase 2 of its HIPAA Audit Program.

OCR is required to perform periodic audits of covered entities and their business associates to ensure HIPAA compliance.

Over the next several months, OCR will notify selected covered entities via email to request documentation for a desk audit. Those selected will be required to provide the requested information in digital form, through a secure online portal, within 10 business days.

While the HIPAA Audit Program will consist mainly of desk audits, some covered entities may be selected for an onsite audit to be conducted over three to five days, depending on the size of the entity.

After the audits are completed, OCR will review and aggregate the information gathered from all of its reports. The aggregated data will help OCR determine any systematic issues with fulfilling particular HIPAA requirements, the types of technical assistance that should be developed, and corrective actions that would be most helpful to covered entities and consumers.

OCR's primary objective is to assess HIPAA compliance across the health care industry, taking into account a wide range of factors in potential auditees. Selected participants for this phase of the program will represent a range of health care providers, health plans, clearinghouses and business associates. Those already undergoing compliance reviews or complaint investigations will not be selected for the audit.

To learn more about OCR's HIPAA Audit Program objectives and procedures, please review its frequently asked questions page.