The Department of Health and Human Services’ Office of Civil Rights (OCR) has emailed 167 healthcare organizations that they will be subject to a HIPAA compliance audit, looking at both privacy and security rules. These 167 organizations chosen received email notifications on July 11, participated in a private webinar with OCR officials two days later, and have approximately two weeks to respond with documentation.

A HIPAA lawyer and former OCR senior policy adviser has hinted that half of the 167 organizations selected will have to respond to privacy measures and the other half will respond to security measures. However, all healthcare organizations audited will be required to show how they are complying with the HIPAA breach notification rule.

In this second wave of HIPAA audits, all 167 organizations will be required to provide a list of their business associates that handle protected health information. From the lists, OCR will select some business associates to be HIPAA audited in an upcoming round of reviews. This will be the first time business associates will be audited for HIPAA compliance.

All HIPAA audits are expected to be desk audits which means there will be no physical visits from OCR or its subcontractor audit firms. However, if the desk audits find violations that warrant further investigation versus just corrective action, it is assumed the OCR will make onsite visits to those organizations.

Regardless of whether your practice was one of the 167 chosen for audits, it’s important to follow all HIPAA privacy, security, and breach notification rules. Is your practice in compliance?