Skip to main content

HIPAA Phase 2 Audits


The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has begun to implement Phase 2 of its audit program. It intended to use this audit program to ensure compliance with HIPAA’s Privacy, Security and Breach Notification Rules.


Who will be subject to these audits?


The HIPAA Phase 2 audits will apply to any entity that must comply with HIPAA’s Privacy, Security and Breach Notification Rules. This includes health plans, healthcare providers, healthcare clearing houses and business associates, including third party administrators. Phase 1 audits focused primarily on providers.


How are entities selected for audit?


An entity may receive a pre-audit questionnaire from OCR to verify contact information, size, business type and operation information. From the group of entities that receive the questionnaire, OCR will then select a random sample of those to be audited.


If a pre-audit questionnaire is received, preparation for a full audit should commence, even though receiving a questionnaire does not guarantee the recipient will be audited.


HHS has stated that entities should be diligent in checking their spam folders to ensure they receive all emails sent by HHS/OCR. Ignoring an email regarding an audit will not exempt an entity from being audited.


What does the audit entail?


These are the steps in the audit process:


• When the re-audit letter is received, the preliminary information will be verified.


• The request to submit electronic documentation will be received. All information must be submitted through OCR’s secure online portal within 10 days. Documents that are only in paper form will need to be scanned for electronic transmittal.


• Some entities will be selected for a desk audit, in addition to submitting their documents electronically.


More information is available in the new Phase 2 audit protocol, which can be found here.


What documents will be requested?


Documents that are frequently requested* include:



HIPPA Privacy Policy & Procedure

HIPAA Security Policy & Procedure

HIPAA Breach Notification Policy & Procedure

Business Associate Agreements

HIPAA Risk Assessment

Logs of unauthorized uses and disclosures of PHI

Investigation of potential HIPAA breach documentation

Breach notification letters for confirmed breaches

Requests for access to and amendments of PHI and responses

HIPAA Notice of Privacy Practices

HIPAA training to individuals with access

Sanctions on employees who violate of HIPAA


*Please note, this list is not all inclusive of what may be requested during an audit. These are the most frequently requested documents.


What steps should be taken if a pre-audit questionnaire is received?


Those who receive a questionnaire should review their documents and talk with their own counsel to ensure they are prepared if selected for an audit.


If you have any questions, please contact your Client Management team.


This content is being provided as an informational tool. It is believed to be accurate at the time of posting and is subject to change. It is recommended that plans consult with their own experts or counsel to review all applicable federal and state legal requirements that may apply to their group health plan. By providing this information, Meritain Health is not exercising discretionary authority or assuming a plan fiduciary role, nor is Meritain Health providing legal advice.