Advisories August 23, 2016

Employee Benefits & Executive Compensation Advisory: HIPAA Phase 2 Audits: What Has OCR Requested from Auditees to Date?

View Advisory as PDF

Alston & Bird

In our April 8, 2016, advisory, we discussed the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) “Phase 2” audit program. Then, we could only make educated guesses about what documents OCR would likely request from auditees. However, on July 11, 2016, OCR contacted the covered entities it selected. Although the tight 10-day turnaround caused some angst for those audited, the scope of OCR’s requests (drawn directly from the OCR audit protocol document) was less onerous than many predicted (especially given the length of the protocol document).

That said, while HIPAA-covered entities that were not selected can breathe a deep sigh of relief (for now), the audit activity is far from over. As part of its Phase 2 audit program, OCR will next audit business associates based on the information the covered entities provide. Additionally, OCR will conduct onsite audits of covered entities and business associates. It is unclear whether this may include covered entities and business associates that OCR did not select for original desk audits, as OCR said, “[s]ome desk auditees may be subject to a subsequent onsite audit.” Moreover, on August 18, 2016, OCR announced an immediate initiative by its regional offices to increase the number of investigations of breaches that affect fewer than 500 individuals.

Phase 2 Documents Requested: List of Business Associates Via E-mail

Unsurprisingly, OCR requested a list of business associates. OCR provided the following sample template to help auditees respond:

Employee Benefits & Executive Compensation

Notably, OCR only requested documents from HIPAA-covered entities during this first stage of the Phase 2 audits. During the next stage, OCR will select business associates for audit from the lists covered entities provided.

Phase 2 Documents Requested: Privacy Rule & Breach Notification Rule Documents or Security Rule Documents Via Secure Website Upload

Although OCR required auditees to submit their list of business associates by e-mail, it provided a secure website for auditees to upload the other documents they requested. In a webinar, OCR indicated that “entities will either be audited on [Security Rule] controls or [Privacy Rule & Breach Notification Rule] compliance.”

The documents that OCR typically requested of covered entities selected for Privacy Rule and Breach Notification Rule audits included:

  • All HIPAA notices of privacy practices posted on the entity’s website, within its facility or distributed to individuals that were in place at the end of 2015. In its desk audit guidance, OCR clarified that this includes translations.
  • The URL for the website where the notice of privacy practices was posted, if any. In addition, if electronic notice was provided, OCR requested its policies and procedures regarding electronic distribution, as well as a sample of an individual’s consent to receive the notice via e-mail or electronically.
  • Policies and procedures for individuals to request access to protected health information (PHI), as well as the documentation for the first access requests granted, and evidence fulfillment in 2015. OCR also requested documentation for the last five access requests that the entity extended its time for response, as well as any standard template or letter that the entity uses or requires to grant access requests. When a third-party administrator decides access requests for a health plan, HHS stated in a Q&A that the covered entity should provide a description of how the business associate handles access requests in the comment section. Thankfully, the desk audit guidance clarified that access requests do not include third-party disclosure requests that are merely authorized by an individual.
  • Documentation for five breach incidents in 2015 involving fewer than 500 individuals, including the date individuals were notified, the date the covered entity discovered the breach and the reasons for any delayed notification.
  • Documentation for five breach incidents involving 500 or more individuals in 2015, including one written notice sent to an affected individual for each breach, and any standard templates or form letters.

OCR desk audits for the Security Rule can include:

  • HIPAA risk analysis policies and procedures for the six years before the audit request date. OCR also required entities to provide documents from 2015 showing that these documents were available to the individuals responsible for implementing the policies and procedures and that they were reviewed periodically and updated as needed.
  • The most recent HIPAA risk analysis, the risk analysis immediately before it and the results. In the Q&A, HHS stated that it did not want covered entities to create a new risk analysis if the risk analysis is not up to date. Also, although some entities raised concerns that disclosure of this information could become public knowledge under the Freedom of Information Act (FOIA), OCR stated in its desk audit guidance that it believes the information is exempt from the FOIA as “trade secrets or commercial or financial information that is confidential or privileged.” However, OCR noted in its webinar that it might be required to release audit notification and other information about these audits under the FOIA.
  • HIPAA risk management policies and procedures regarding risk management for the six years before the audit date. OCR also required entities to provide documents from 2015 showing that these documents were available to the individuals responsible for implementing the policies and procedures and that they were reviewed periodically and updated as needed. OCR’s desk audit guidance says evidence that the policies and procedures were available to responsible individuals would include screen shots that show document properties and mapped drive permissions.
  • The documents showing efforts used to manage risks in 2015, as well as the measures implemented to reduce risks based on the current risk analysis.

Uploading Documents for Phase 2: Be Careful Before You Press Submit!

OCR hosted an informational webinar shortly after it notified selected covered entities. The webinar included screenshots of what auditees can expect to see when they upload their documents, such as:

Document Upload

Of great significance to those responsible for uploading the document, OCR noted in the Q&A during the webinar that “once an entity selects the ‘review and submit’ button, you cannot return to the system to delete and replace files previously uploaded.”

If I’m a Covered Entity That’s Also a Business Associate, Can I Also Expect to Be Audited as a Business Associate?

During its Q&A, OCR stated that “[i]t is possible, but not likely” that OCR will select them for another audit if they are the business associate of another covered entity, which might provide some comfort to covered entities that OCR selected for desk audits.

Is OCR Also Increasing the Number of Breach Investigations?

Yes. OCR currently investigates all breaches involving 500 or more individuals. On August 18, 2016, OCR announced an immediate initiative by its regional offices to increase investigations of breaches involving fewer than 500 individuals. Regional offices will identify and obtain corrective action to address entity and systemic noncompliance related to these breaches. Regional offices will consider, among other things:

  • The size of the breach.
  • Theft of or improper disposal of unencrypted PHI.
  • Breaches that involve unwanted intrusions to IT systems (for example, hacking).
  • The amount, nature and sensitivity of the PHI involved.
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

When OCR conducts investigations, it often assesses penalties for not conducting a risk assessment and/or not having adequate security policies and procedures. For example, after the theft of an unencrypted smartphone with the PHI of 412 individuals, OCR assessed a $650,000 penalty for not having security incident and mobile device policies.

Even before OCR’s announcement, we noticed a marked increase in the investigation of small breaches, particularly when there was a pattern of small breaches. Covered entities and business associates must be careful because these investigations often result in substantial monetary penalties for not maintaining adequate policies, procedures and/or records of risk assessments.


No one is off the hook yet. Although OCR made its Phase 2 desk audit requests for covered entities, business associates are next. And covered entities and business associates remain subject to onsite audits whether or not they were selected for a desk audit. Moreover, this year’s foray into the audit world is proving to be a mere prelude to more detailed investigations involving small breaches, as OCR recently just announced its new investigation initiative. It would be wise to ensure that you can provide the documents HHS has requested to date during its Phase 2 desk audits, as well as any other documents required to comply with HIPAA (including the ones mentioned in our April 8, 2016, advisory in case you are selected for a desk audit or are investigated due to a breach).


This advisory is published by Alston & Bird LLP’s Employee Benefits & Executive Compensation practice area to provide a summary of significant developments to our clients and friends. It is intended to be informational and does not constitute legal advice regarding any specific situation. This material may also be considered attorney advertising under court rules of certain jurisdictions.

Media Contact
Alex Wolfe
Communications Director

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.