Office of Civil Rights HIPAA Privacy, Security, and Breach Notification Program

On March 21st the Office of Civil Rights (OCR) announced the launch of Phase 2 of the HIPAA Audit Program. Phase 2 of the HIPAA Audit Program will review the policies and procedures of the covered entities and their business associates to meet selected standards and implement specifications of the Privacy, Security, and Breach Notification Rules.

cyber & healthcare

These audits will primarily be desk audits, with some on-site audits.OCR will post updated audit protocols for the audits on its website.  The audit protocol will reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct internal self-audits as part of their HIPAA compliance activities.

Sequence and scope:

  1. The address verification letters will be sent out
  1. The second step will be the mailing of the Entity Questionnaire
  1. Conduct 200 desk/onsite audits
  1. Desk audits will be completed by the end of CY 2016
  1. Results and lessons learned will be shared publicly and will be used for the framework of the permanent program
  1. Security Assessments and Gap analyses are not the same in the eyes of the OCR.  A comprehensive Security Assessment  must include all forms of PHI (not just EHR data).
  1. Patient Right of Access will be included in the audit protocol
  1. Audit Protocols will be released in the near future

To learn more about OCR’s Phase 2 Audit program, please visit their website found in sources.

To learn more about HIPAA check out our wide variety of material from webcasts to blogs, and training opportunities at the National Cybersecurity Institute.


U.S. Department of Health & Human Services (n.d.). HIPAA Privacy, Security, and Breach Notification Audit Program. Retrieved from