The Department of Health and Human Services’ Office for Civil Rights has officially kicked off its much anticipated second phase of audits of covered entities and their business associates. Required under the 2009 HITECH Act, the OCR must perform periodic audits of both covered entities—healthcare providers, health insurance plans, healthcare clearinghouses—and business associates for compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) privacy, security, and breach notification rules. The first phase was conducted as a pilot audit program in 2011 and 2012 on 115 covered entities.
