The HHS Office for Civil Rights (OCR) announced on Monday that it has launched the long-awaited Phase 2 of its HIPAA Privacy, Security, and Breach Notification Audit Program.

The purpose of the Audit Program is to assess the compliance of covered entities and business associates with the HIPAA Privacy, Security and Breach Notification Rules. The audits are intended to supplement OCR’s other enforcement tools, such as complaint investigations and compliance reviews.

The Audit Program was established pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH). In 2011 and 2012, OCR implemented a pilot program – or Phase 1 – which assessed the HIPAA compliance of 115 covered entities. OCR has applied the experience gained from the pilot program toward developing and refining Phase 2 of the Audit Program.

In Phase 2, all covered entities and business associates, of all shapes and sizes, are eligible for an audit. OCR is currently reaching out to potential auditees by email to verify their contact information, and is identifying pools of organizations that represent a wide range of covered entities (health care providers, health plans and health care clearinghouses) and business associates, so that it can evaluate HIPAA compliance across the industry.  OCR has said that it will not audit organizations with an open complaint investigation or that are currently undergoing a compliance review.

The first set of audits will be desk audits of covered entities, followed by a second round of desk audits of business associates. These desk audits will examine compliance with specific requirements of the HIPAA Rules, and will be completed by the end of December 2016. The third set of audits will be onsite, and will involve a more comprehensive review of HIPAA requirements.

OCR is creating enhanced audit protocols to reflect the HIPAA Omnibus Rulemaking, which will be used in connection with the Phase 2 audits. Covered entities and business associates can use these protocols to conduct internal self-audits as part of their HIPAA compliance programs and to prepare for the OCR audits.

OCR stated that it will use the information gained from the audits to “develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.” It plans to use the results of Phase 2 to develop its permanent audit program.

Anyone wishing to conduct a self-audit should consult experienced counsel regarding the purpose and structure of the audit.