OCR Confirms HIPAA Compliance Audit Surveys Sent

There has been much speculation over the past week since the sending of the letters was first reported, about whether the OCR pre-screening surveys have actually been dispatched. Now the Department of Health and Human Services’ Office for Civil Rights has confirmed – to Fierce Health IT – that its preliminary HIPAA surveys have now been dispatched, marking the start of the 2015 HIPAA compliance audits.

In an article in the National Law Review on Monday, McDermott Will & Emery announced that phase 2 of the HIPAA compliance audits was no longer being delayed, after the firm had been notified by some of its clients that an OCR HIPAA audit screening survey had been received.

The purpose of the screening surveys is to ensure that all contact and organization information is correct. The OCR auditors can then select the organizations most appropriate for audit. From the responses, the OCR is expected to select 350 covered entities and 50 Business Associates for an audit on the Security Rule, Privacy Rule, Breach Notification Rule or a combination audit comprising 2 or 3 audit modules.

The OCR is expected to audit healthcare providers, health plans and healthcare clearinghouses first, with Business Associate HIPAA audits to follow.

It is not clear at this stage whether the surveys have been sent out to all 1,200 entities that formed the initial sample or if Business Associates have been contacted yet. According to McDermott Will & Emery, the OCR is working with a pool of 550 and 800 CEs. If this is the case, any covered entity receiving a survey may have a 50% chance or higher of being audited.

Start Date of Second Round HIPAA Audits not yet Announced


The OCR statement, issued by e-mail, confirmed that the pre-audit surveys had been sent, but no information was provided as to when the second round of compliance audits will be taking place. According to the original schedule for the audits that were supposed to commence in the fall of 2014, the surveys were scheduled to be sent around this time of year indicating that the audits will only have been delayed a year and will take place this fall.

The statement said “Additional information about the audit program is forthcoming,” with covered entities instructed to “Check our website for updates.”

Once the notice is placed on the OCR website, the audits are expected to commence approximately 90 days later, giving covered entities three more months to ensure they are fully HIPAA-compliant before it is put to the test.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.