HIPAA Audit, Phase 2: Are You in Compliance?

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights has begun its Phase 2 HIPAA Audit Program. 

HHS auditors will review the policies and procedures that practices and other covered entities have adopted and use to meet certain standards and implementation specifications of the HIPAA Privacy, Security, and breach notification rules.

According to the American Medical Association, “OCR underscored that the audit results are a tool to identify best practices and discover risks and vulnerabilities that OCR may not be aware of through their normal enforcement mechanisms and will be used for educational purposes, not enforcement. The agency noted that if it uncovers a serious compliance issue through the audit process, it may initiate a compliance review to further investigate. The ultimate goal of the audits, however, is to help OCR provide better guidance to the health care community.”

OCR’s initial round of audits is limited in scope. However, the full audit protocol covers some 180 key activities. In fact, the protocol table makes for a comprehensive checklist for HIPAA compliance. Here is a smattering of the activities for which you should have written policies and procedures and be able to show that you’ve followed them, if applicable. 


  • How do you determine if a person has authority to act on behalf of a patient, for example in regard to minors or the deceased? Do your policies and procedures protect deceased patients’ protected health information for 50 years following their death? 
  • How do you provide for and accommodate requests by patients for confidential communications, for example to contact them only at a certain phone number or only by mail at a certain address? 
  • How do you determine when you need a patient’s authorization, rather than consent, to disclose PHI? How do you obtain a valid authorization when required?  
  • How do you identify business associates, and do you have a business associate agreement with each? 
  •  What are your policies and procedures for disclosing PHI to family members, relatives, close personal friends, or others your patient has identified; in disaster relief efforts; for public health activities; about victims of abuse, neglect, or domestic violence; for judicial proceeding; in response to a law enforcement request; to a coroner, medical examiner, or funeral director?  


  • Have you conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI you create, receive, maintain, or transmit?  
  • What security measures have you implemented to reduce risks and vulnerabilities to a reasonable and appropriate level? How do you monitor them? 
  • What are your policies and procedures regarding employees who violate your practice’s security policy? 
  • How do you provide employees access to ePHI appropriate to their job duties?  
  • Do you have and follow a security awareness and training program for staff? 

Breach Notification

  • How will you determine if an impermissible use or disclosure of PHI requires notifications under the breach notification rule? 
  • How will you notify patients of a breach of their PHI?  
  • In case of a breach that requires notification, are you prepared to notify the next of kin or a personal representative (if you have his or her address) when you know the affected patient is deceased? 
  • Do you have a process in place for individuals to complain about your compliance with the breach notification rule? 

Visit the TMA HIPAA Resource Center for tools and information to help you get into HIPAA compliance, like a sample authorization form and a sample business associate agreement. Learn about HIPAA security by taking courses in the TMA Education Center, including HIPAA training for staff. See also training materials on HIPAA privacy and security from HHS.

Published July 28, 2016

TMA Practice E-Tips main page

Last Updated On

February 02, 2017

Related Content

Audits | HIPAA