What's New
Published June 23, 2016
Phase 1 Audit Findings
OCR audited 115 covered entities under the Phase 1 Audit program, with the following aggregate results:
- There were no findings or observations for only 11% of the covered entities audited;
- Despite representing just more than half of the audited entities (53%), health care providers were responsible for 65% of the total findings and observations;
- The smallest covered entities were found to struggle with compliance under all three of the HIPAA Standards;
- Greater than 60% of the findings or observations were Security Standard violations, and 58 of 59 audited health care provider covered entities had at least one Security Standard finding or observation even though the Security Standards represented only 28% of the total audit items;
- Greater than 39% of the findings and observations related to the Privacy Standards were attributed to a lack of awareness of the applicable Privacy Standard requirement; and
- Only 10% of the findings and observations were attributable to a lack of compliance with the Breach Notification Standards
The Phase 2 Audit Program
- Selection of Phase 2 Audit Recipients
- Unlike the Phase 1 Audit Program, which focused on covered entities, OCR will conduct Phase 2 Audits of both covered entities and business associates. OCR has randomly selected a pool of 550–800 covered entities through the National 2 OCR to Begin Phase 2 of HIPAA Audit Program Provider Identifier database and other external sources. OCR will issue a mandatory pre-audit screening survey to the pool of covered entities this summer. The survey will address organization size, measures, location, services and contact information. Based on the responses, the agency will select approximately 350 covered entities, including 232 health care providers, 109 health plans and 9 health care clearinghouses.