Update on HIPAA Phase 2 Audits from HIPAA Conference 2017

Linda Sanches from Office for Civil Rights (OCR), U.S. Department of Health and Human Services, provided much anticipated updates on Phase 2 HIPAA audit activities at the annual HIPAA conference. NIST and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR), co-hosted the 10th annual conference, Safeguarding Health Information: Building Assurance through HIPAA Security, on September 5-6, 2017 at the Hyatt Regency, Washington, D.C.

The conference has explored the current healthcare cybersecurity landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This event also highlighted the present state of healthcare cybersecurity, along with practical strategies, tips, and techniques for implementing the HIPAA Security Rule. The Security Rule sets federal standards to protect the confidentiality, integrity, and availability of electronic protected health information by requiring HIPAA covered entities and their business associates to implement and maintain administrative, physical, and technical safeguards.

For the complete program agenda you can visit:


The event hashtag is #HIPAASecurity. Join the conversation and tweet your questions.

As you may recall, HHS office as part of HITECH act initiated phase 1 and phase 2 audits to:

  • Identify best practices; uncover risks & vulnerabilities; detect areas for technical assistance; encourage consistent attention to compliance
  • Learn from this phase in structuring a permanent audit program
  • Develop tools and guidance for industry self-evaluation and breach prevention

Linda Sanches has provided latest update on the Phase 2 audit results. Here’s the quick summary:

  • Desk audits of covered entities is complete
  • Desk audits of business associates is underway
  • On-site audits of both CEs and BAs to take place after completion of the desk audit process, to evaluate against a comprehensive selection of controls in protocols
  • Any desk audit subject may be subject to on-site audit

As part of Phase 2 desk audit, HHS OCR has audited:

CE Audits (166)

  • Privacy and Breach Rules (103)
  • Security Rules (63)

BA Audits (41) (Pending)

  • Breach and Security

Privacy Rule Controls

  • Notice of Privacy Practices & Content Requirements [§164.520(a)(1) & (b)(1)]
  • Provision of Notice – Electronic Notice [§164.520(c)(3)]
  • Right to Access [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]

Breach Notification Rule Controls

  • Timeliness of Notification [§164.404(b)]
  • Content of Notification [§164.404(c)(1)]

Security Rule Controls

  • Security Management Process — Risk Analysis [§164.308(a)(1)(ii)(A)]
  • Security Management Process — Risk Management [§164.308(a)(1)(ii)(B)]

Key Findings:

  • Only a handful of entities have fully met compliance goals and objectives
  • None of the organizations have met all HIPAA security risk analysis and management requirements
  • Access request and NPP seems to be another weak area for the entities

For any questions on HIPAA/HITECH compliance assurance or to request for a complimentary quote visit:


Share this in :
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.