The Office of Civil Rights (OCR) of the Department of Health and Human Services has moved forward with Phase 2 of its Health Insurance Portability and Accountability Act of 1996 (HIPAA) audit program. On Monday, July 11, 2016, OCR sent emails to 167 covered entities (including health plans, health care, and health care clearinghouses) notifying them that they have been selected for a “desk audit” designed to assess compliance with particular aspects of the Privacy, Security, and Breach Notification Rules of HIPAA. Specifically, the desk audits focus on:

  • the content and electronic provision of the Notice of Privacy Practices,
  • the right to access Protected Health Information,
  • timeliness and content of breach notifications, and
  • the entity’s security risk analysis and general security risk management.

The audits target these requirements because OCR’s pilot audits and enforcement activities have shown them to be common areas of noncompliance. In addition to notifying covered entities about their inclusion in the audit program, the emails contain a request to provide a listing of the covered entity’s business associates (due to be selected for desk audits this fall) and information about an upcoming OCR webinar on the desk audit process.

Covered entities should check their spam and junk mail folders for any emails from to determine if they have been selected for a desk audit. Two separate emails were sent to each covered entity selected. If your plan or organization has been selected for audit, you will have 10 business days (until July 22, 2016) to respond to the requests.

As the federal health care reform effort gained steam, Ballard Spahr attorneys established the Health Care Reform Initiative to monitor and analyze legislative developments. With federal health care reform now a reality our attorneys are assisting health care entities and employers in understanding the relevant changes and planning for the future. They also have launched the Health Care Reform Dashboard, an online resource center for news and analysis on developments under the Affordable Care Act.

If you have questions about HIPAA audits, contact Ed Leeds at 215.864.8419 or or Laura Heacock at 215.864.8864 or