Audit photo for OCR audit blog

On March 21, 2016, the Director of the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), Jocelyn Samuels, announced the launch of Phase 2 of its HIPAA compliance audit program for covered entities and business associates. Expanding upon Phase 1 audits conducted in 2012, Phase 2 audits will use newly released audit protocols.

What to expect
Starting this month with limited-scope desk audits until July and on-site full compliance audits later in 2016, Phase 2 of the HIPAA audit program is now in effect. Additional details on what to expect from the audits are outlined in our previous Phase 2 audits blog post, which can be accessed here . In this post, we’ll take a look at the recently announced audit protocols that were not yet released during our last post, and how your organization can ensure it’s prepared.

The new audit protocols are more specific than the previous audit protocols, addressing documentation requirements more comprehensively than the 2012 version. In total, there are 169 audit protocols: 78 for security, 81 for privacy and 10 for breach notification. Approximately one-third of the protocols ask for documentation, which will need to be submitted electronically to the OCR’s new secure online portal. With regard to privacy, the major areas are 1) uses and disclosures, 2) minimum necessary standard, 3) patient rights, 4) notice of privacy practices, 5) business associates and 6) administrative requirements.

How to prepare your organization
The best way to get ready for these compliance audits is to prepare the workforce and assemble an audit team that can communicate effectively with senior management and champion compliance activities. Here’s how to get started:

  • Educate the team: Present information on the audit protocols and inquires, reviewing how and where your organization’s relevant documentation can be accessed for potential audit requests.
  • Conduct internal audits: After the review, a mock audit team could be assembled to simulate complying with some or all of the Phase 2 audit protocols.
  • Address potential gaps: The mock audit should help identify areas where policies and procedures may be lacking or insufficiently documented. Those corrections should be completed before the Phase 2 desk audits begin.

Although the OCR released the protocols prior to soliciting input, they invite the public to submit feedback by emailing

All of the audit protocols are available on a user-friendly spreadsheet created by MRO to assist with your organization’s preparation. To download the reference tool, please fill out the form below.