• Ann Arbor
    201 S. Division Street
    Suite 400
    Ann Arbor, MI 48104
    T 734-761-3780
  • Cheboygan
    229 Court Street
    P.O. Box 405
    Cheboygan, MI 49721
    T 231-627-8000
  • Detroit
    1901 St. Antoine Street
    6th Floor at Ford Field
    Detroit, MI 48226
    T 313-259-7777
  • Grand Rapids
    99 Monroe Avenue NW
    Suite 300
    Grand Rapids, MI 49503
    T 616-205-4330
  • Troy
    201 W. Big Beaver Road
    Suite 500
    Troy, MI 48084
    T 248-743-6000
Go to page >
Go to page >
competitive drive

News Center

in the know

HHS Begins Phase 2 of HIPAA Compliance Audits; Is Your Institution Prepared?

A Health Care Client Alert

By: E. William S. Shipman


The Health and Human Services Office of Civil Rights (“OCR”) is initiating Phase 2 of its compliance audits for HIPAA. OCR plans to audit 350 covered entities (including 100 health care providers, 45 health plans, and five health care clearinghouses) and 50 business associates (including 35 IT-related and 15 non IT-related business associates). While Phase I only involved covered entities, Phase 2 will focus on both covered entities and business associates.

Historically, HHS investigated the following compliance matters the most:

  1. Impermissible uses and disclosures of protected health information
  2. Lack of safeguards of protected health information
  3. Lack of patient access to their protected health information
  4. Uses or disclosures of more than the minimum necessary protected health information
  5. Lack of administrative safeguards of electronic protected health information

2014 Phase 2 audits of covered entities will likely focus on:

  • Security-‐Risk analysis and risk management
  • Breach–Content and timeliness of notifications
  • Privacy–Notice and Access

2015 Phase 2 audits of business associates will likely focus on:

  • Security–Risk analysis and risk management
  • Breach–Breach reporting 
  • Security–Device and media controls, transmission security
  • Privacy–Safeguards, training to policies and procures

Health care providers and their business associates should prepare for a possible Phase 2 audit.  Preparations include: (a) confirming that business associate agreements are in place, (b) confirming that assessment of potential security risks have been properly completed, (c) ensuring that proper breach notification policies are in place, (d) ensuring that reasonable and appropriate safeguards for PHI are in place, (e) ensuring proper training of the workforce on HIPAA compliance, (f) confirming the adoption of a facility security plan, and (g) confirming that software transmitting PHI employs encryption technology.

Bodman can provide practical guidance on this matter and others and help your organization ensure that it is ready for a potential audit.  If you would like to discuss these or any other legal issues affecting your organization, please contact the chair of our Health Care Law Group, Bill Shipman, at (313) 393-7562 or wshipman@bodmanlaw.com.

Subscribe for updates

Subscribe for updates