OCR Launches Phase 2 of HIPAA Audits in Wake of Recent Settlements.

Date posted: April 6, 2016

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently began the next phase of its Health Insurance Portability and Accountability Act (HIPAA) audit program.  The program will review covered entity and business associate compliance with the HIPAA Privacy, Security and Breach Notification Rules.  In Phase 2, OCR will evaluate organizational policies and procedures for compliance with certain HIPAA standards and implementation specifications.  To commence Phase 2, OCR will transmit a pre-audit questionnaire to compile information regarding each organization’s size, type, and operations.  OCR will subsequently use the data to create potential audit subject pools.  Notably, the Phase 2 launch coincides with several OCR settlements of potential HIPAA violations.

Recent OCR settlements include:

  • Feinstein Institute for Medical Research agreed to pay OCR $3.9 million for a stolen laptop containing 13,000 patient and research participants’ protected health information (PHI). The PHI stored on the laptop included names, birthdates, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information pertaining to research study participation.
  • North Memorial Health Care of Minnesota (North Memorial) will pay OCR $1.5 million for failing to enter into a business associate agreement with a major contractor. North Memorial further failed to implement an organization-wide risk analysis to address vulnerabilities to PHI in its applications, software, workstations, electronic media, and other business processes.
  • Triple-S Management Corporation (Triple-S) settled potential HIPAA violations for $3.5 million and agreed to adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. OCR found that Triple-S impermissibly disclosed PHI to outside vendors, and used or disclosed more PHI than necessary to carry out mailings, among other violations.

Phase 2 is part of OCR’s overall goal to examine HIPAA-related mechanisms and to identify best practices for a wide range of organizations.  The audits will enable OCR to identify and address risks and vulnerabilities before they result in breaches.

The OCR press release is available at:


OCR HIPAA News Releases & Bulletins are available at:


Department of Health and Human Services Office for Civil Rights.  “OCR Launches Phase 2 of HIPAA Audit Program.”  Press Release.  21 Mar. 2016.

‹ Return to the Main News Page
‹ Return to the CRC Homepage