The Office of Civil Rights (OCR) of the Department of Health and Human Services has moved forward with Phase 2 of its Health Insurance Portability and Accountability Act of 1996 (HIPAA) audit program. On Monday, July 11, 2016, OCR sent emails to 167 covered entities (including health plans, health care, and health care clearinghouses) notifying them that they have been selected for a "desk audit" designed to assess compliance with particular aspects of the Privacy, Security, and Breach Notification Rules of HIPAA. Specifically, the desk audits focus on:

  • the content and electronic provision of the Notice of Privacy Practices,

  • the right to access Protected Health Information,

  • timeliness and content of breach notifications, and

  • the entity's security risk analysis and general security risk management.

The audits target these requirements because OCR's pilot audits and enforcement activities have shown them to be common areas of noncompliance. In addition to notifying covered entities about their inclusion in the audit program, the emails contain a request to provide a listing of the covered entity’s business associates (due to be selected for desk audits this fall) and information about an upcoming OCR webinar on the desk audit process.

Covered entities should check their spam and junk mail folders for any emails from to determine if they have been selected for a desk audit. Two separate emails were sent to each covered entity selected. If your plan or organization has been selected for audit, you will have 10 business days (until July 22, 2016) to respond to the requests.

As the federal health care reform effort gained steam, Ballard Spahr attorneys established the Health Care Reform Initiative to monitor and analyze legislative developments. With federal health care reform now a reality our attorneys are assisting health care entities and employers in understanding the relevant changes and planning for the future. They also have launched the Health Care Reform Dashboard, an online resource center for news and analysis on developments under the Affordable Care Act.

If you have questions about HIPAA audits, contact Ed Leeds at 215.864.8419 or

Copyright © 2016 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.