It took a while, but phase 2 of the the HIPAA Audit Program, conducted by the Health and Human Services’ Office for Civil Rights (OCR), is here. Healthcare related organizations from the smallest business associate to the largest covered entity are eligible for this phase of audits—no one is immune.

But amidst the scramble to gather documentation and prove compliance with the three HIPAA Rules–  Privacy, Security, and Breach Notification – I think it’s helpful to take a step back and examine the purpose of the audits, and what it really means should your organization fall short in some way.

Why the audits?

OCR says the audits “present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities…and enable us to get out in front of problems before they result in breaches.” The phase 2 audit results will be used to create a permanent HIPAA audit program, according to HealthcareInfoSecurity.

OCR director Jocelyn Samuels has said that the audits are not intended to be “punitive.” However, if the audit reveals a “serious compliance issue,” OCR may launch a compliance review. And Barbara Holland, OCR’s regional manager of the Mid-Atlantic region, said in Cybersecurity Today, “We are beginning to raise our expectations about compliance. We know some people have struggled to comply, but we are expecting more from traditional providers. We have a lower tolerance for noncompliance.”

More than a slap on the wrist

This “lower tolerance for noncompliance” can cost healthcare organizations big. According to a thought piece by attorneys at McDermott Will & Emery, OCR has collected $11 million in settlements since last fall.

In March, for example, North Memorial Health Care of Minnesota was fined $1.55 million for potential violations of the HIPAA Privacy and Security Rules. The healthcare organization did not have a business associate agreement in place with a contractor, nor did it perform an organization-wide risk analysis to address threats to patient information.

2016 OCR Audit Guidebook - HIPAA ComplianceConcerned about the upcoming Phase 2 Audits? We’ve pulled together a comprehensive resource for Business Associates and Covered Entities alike. Click here to request your copy of the OCR Audit Guidebook.


And in April, Raleigh Orthopedic Clinic in North Carolina agreed to pay $750,000 for a potential violation of the Privacy Rule. The clinic gave X-ray films and related protected health information (PHI) of more than 17,000 patients to a potential business partner without first signing a business associate agreement.

It’s more than just money—reputation is at stake. Healthcare organizations, even if they have not violated any HIPAA Rules, are required to contemporaneously report breaches involving 500 or more individuals to HHS, which then immediately lists the breach on its so-called “wall of shame.” So far in 2016, the site lists 137 such breaches.

Keep Your sights on compliance

Clearly, compliance with the three HIPAA Rules is a big deal for regulators. As it should be. The rules are in place to safeguard sensitive health information. But compliance is no easy feat. The updated OCR Audit protocol, for example, lists about 180 areas within these three rules that may be examined by auditors.

If the results of the phase two audits are indeed used to develop a permanent audit program, healthcare organizations and their business associates must keep compliance in their crosshairs, not just for this phase of audits, but from here on out.

Related Reading: