HIPAA Desk Audits are Underway! BA Desk Audits Right Around the Corner

Sullivan Stolier Schulze & Grubb LC, 7/26/2016

On July 11, 2016, HHS Office of Civil Rights (OCR) notified 167 Covered Entities (CE) of their selection, via a random sampling process, to participate in HIPAA desk audits. Desk audits will be limited in scope to a total of seven (7) Privacy, Security, and Breach Notification Rule requirements. To review these elements go to:

Some CEs may be chosen for further review via onsite audits. Comprehensive onsite audits of both CEs and BAs will begin in early 2017. They will evaluate auditees against a comprehensive set of HIPAA compliance controls.

CEs (and, later, Business Associates (BAs)), will receive two (2) separate documentation requests from OCR – one asking for a listing of policies, procedures, and/or other related documentation, and one requesting a list of all the CE’s BAs. The request will specify the documentation elements to be provided.
Each auditee is expected to:

  • Provide only the policies andprocedures that are relevantto the controls requested;
  • Provide clear, complete, andresponsive documentation toOCR; and
  • Auditees will not receive“credit” for a laterdocumentation submission.

If a CE/BA does not have the requested documentation, it must submit an explanation for the deficiency in its response.

Following the desk audit, OCR will prepare and share draft findings and will share them with the CE/BA. The CE/BA may respond to the draft findings in writing and those responses will be included in the final audit report. Final audit reports will describe how the audit was conducted, present any findings, and contain entity responses to the draft findings.

Note that OCR has separate, broad authority to open a compliance review of any CE/BA where significant threats to the privacy and security of PHI are revealed through the audit.


BA desk audits will begin in the Fall. The selection pool will be comprised largely of BAs identified by the audited CEs in their document responses.

Comprehensive onsite audits of both CEs and BAs are expected to begin in early 2017.

For some frequently asked questions and answers see:

Sullivan Stolier Schulze & Grubb LC has assisted healthcare providers for many years with compliance and other healthcare regulatory issues.