Who's Going to be Audited This Time?
OCR has included explicit provisions in their Phase 2 audits to include both CEs and BAs in their program this time around, saying that "every covered entity and business associate is eligible for an audit."
OCR is looking to identify CEs and BAs that vary in size, operation, and location. OCR will look at a wide range of potential auditees to attain a broad analysis of HIPAA compliance across the health care industry. However, if an organization has an ongoing complaint that is being investigated by OCR, they will not be eligible for a Phase 2 audit.
Two hundred CEs and BAs in total are set to be audited during this initial round of desk-only audits. If a CE or BA is chosen to be a part of the group of potential auditees, they can expect the process to follow a fairly simple route, outlined below:
Round 1 - Email Contact and Questionnaire