The United States Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has begun Phase 2 of its audit program. Phase 2 will address both Covered Entity and Business Associate compliance with the Privacy, Security, and Breach Notification Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Phase 2, which follows OCR’s initial Phase 1 Pilot audits of 115 Covered Entities in 2011 and 2012, further continues OCR’s effort to conduct periodic compliance audits, mandated by HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the HIPAA Omnibus Final Rule (“Omnibus”). OCR has announced that it is considering a broad spectrum of audit candidates to better assess HIPAA compliance across the health care industry. The Phase 2 audits seek to enhance industry awareness of compliance obligations. Based on the information obtained in the Phase 2 audits, OCR plans to develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches. The results will be used to develop OCR’s permanent audit program.

What does this mean for the myriad of businesses who work with Covered Entities, such as health care providers, insurers, and many employee-sponsored group health plans? Read the Client Alert here to find out.

This Client Alert has been prepared by Tucker Ellis LLP for the use of our clients. Although prepared by professionals, it should not be used as a substitute for legal counseling in specific situations. Readers should not act upon the information contained herein without professional guidance.