OCR Phase 2 Audits: HIPAA Requirements, Scope, and How to Prepare

OCR Phase 2 HIPAA Audits Overview

OCR Phase 2 audits evaluate how well organizations implement the HIPAA Privacy Rule, the HIPAA Security Rule, and the Breach Notification Rule across day-to-day operations. These audits were designed to measure real, operational compliance and to identify systemic gaps before incidents occur.

Audits occur in two formats: a remote audit desk review of submitted documentation and, for some organizations, an on-site assessment with interviews and facility walkthroughs. While educational in purpose, audits can lead to enforcement if serious noncompliance or persistent deficiencies are found.

Audit Scope and Coverage

The scope centers on HIPAA Security Rule compliance for ePHI, the HIPAA Privacy Rule’s requirements for permissible uses and disclosures, and the Breach Notification Rule’s obligations after an incident. Review areas typically include governance, risk analysis and risk management, workforce training, access controls, logging and monitoring, data integrity, and incident response.

Auditors also examine Notices of Privacy Practices, right-of-access processes, minimum necessary standards, and breach risk assessment methodology. Evidence often includes policies and procedures, technical configurations, security risk assessments, incident records, training attestations, and business associate agreements with downstream oversight.

Covered Entities and Business Associates

Covered entities include health care providers, health plans, and health care clearinghouses. Business associates encompass vendors that create, receive, maintain, or transmit ePHI, such as cloud hosting providers, EHR vendors, billing services, and e-prescribing platforms.

Under the Omnibus Final Rule, business associates are directly liable for compliance with applicable HIPAA requirements, and covered entities must execute robust business associate agreements. Effective BAAs define permitted uses and disclosures, security safeguards, breach reporting, subcontractor flow-downs, and termination rights for noncompliance.

OCR Audit Process

OCR identifies potential auditees and requests contact information and key organizational details. Selected organizations receive a document request letter with a short turnaround for submitting evidence. The initial phase is usually an audit desk review of artifacts mapped to the HIPAA standards.

Some organizations proceed to an on-site review that includes interviews with leadership and operational teams, validation of technical safeguards, and physical security walk-throughs. After fieldwork, OCR issues draft findings, allows a management response, and then finalizes results. Outcomes may include technical assistance, corrective action plans, or referral for enforcement if warranted.

Preparation Steps for Audits

• Complete an enterprise-wide HIPAA security risk analysis and maintain a living risk management plan with documented remediation and timelines.
• Inventory systems, data flows, and vendors that handle ePHI; ensure current business associate agreements and ongoing vendor due diligence.
• Harden access controls (role-based access, MFA where feasible), encryption for data in transit and at rest, and device/media controls for laptops, mobile, and removable media.
• Establish logging, audit controls, and regular review of activity reports, including alerts for anomalous access and exfiltration.
• Document ransomware incident response procedures that coordinate Security Rule containment, evidence preservation, and Breach Notification Rule decisioning.
• Maintain comprehensive Privacy Rule documentation: Notice of Privacy Practices, right-of-access workflows, minimum necessary evaluations, and complaint handling.
• Train workforce annually and at role change; track completion, competency, and sanctions for nonadherence.
• Curate an “audit-ready” evidence library with clearly labeled policies, risk analyses, network diagrams, vendor inventories, training logs, incident logs, and prior remediation proof.
• Conduct a mock audit using the OCR audit protocol, validate citations to specific HIPAA standards, and rehearse leadership and SME interview responses.
• Assign an audit coordinator, define RACI for requests, and prepare rapid collection and quality review of artifacts before submission.

Updated OCR Audit Protocol

The updated OCR audit protocol organizes requirements by the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, detailing key activities and the types of evidence auditors may request. It reflects Omnibus Final Rule changes and expands expectations for business associates, making it a practical self-assessment workbook.

Use the protocol to map each citation to your controls, name the control owner, and link to evidence. Prioritize frequent gap areas: risk analysis and risk management, access management, encryption and device/media controls, contingency planning and backups, right of access, minimum necessary, breach risk assessment, and vendor oversight.

Interpreting Audit Findings

Classify each finding by severity, regulatory citation, and whether the specification is required or addressable. Identify root causes (process, technology, training, vendor) and quantify risk to ePHI confidentiality, integrity, and availability to guide remediation.

Build a corrective action plan with owners, milestones, and measurable outcomes; document interim compensating controls; and verify completion with evidence. Close the loop by updating your risk analysis and training where procedures have changed.

Summary: By aligning governance, technical safeguards, vendor oversight, and ransomware incident response to the OCR audit protocol, you strengthen compliance across the HIPAA Security Rule, the HIPAA Privacy Rule, and the Breach Notification Rule—and you stay audit-ready year-round.

FAQs

What entities are subject to OCR Phase 2 audits?

Both covered entities (providers, health plans, clearinghouses) and business associates that create, receive, maintain, or transmit ePHI may be selected. The selection is risk-based and aims to reflect a cross-section of the health care ecosystem, including organizations of varying sizes and technical models.

How long do OCR Phase 2 on-site audits last?

On-site work typically spans several business days, depending on organizational size, complexity, and the number of locations and systems in scope. Expect interviews, walk-throughs, and technical validation, preceded by a focused document production window.

What are the key HIPAA standards assessed during audits?

Audits assess the HIPAA Security Rule (administrative, physical, and technical safeguards), the HIPAA Privacy Rule (uses/disclosures, minimum necessary, right of access), and the Breach Notification Rule (investigation, risk assessment, and timely notifications). Business associate agreements and vendor oversight are also core review elements.

How can organizations prepare for an OCR Phase 2 audit?

Perform an up-to-date security risk analysis, maintain a prioritized remediation plan, validate Privacy Rule processes, and rehearse incident and ransomware incident response. Keep current business associate agreements, centralize audit-ready evidence, and run a mock audit against the updated OCR audit protocol to verify controls and documentation.