HIPAA Audits: Preparing for Phase 2 Audits for Covered Entities and Business Associates

Developing, Ensuring and Documenting HIPAA and HITECH Privacy and Security Compliance

Recording of a 90-minute CLE webinar with Q&A

Conducted on Wednesday, August 19, 2015

Recorded event now available

or call 1-800-926-7926
Course Materials

This CLE course will provide guidance for healthcare counsel on the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) Phase 2 HIPAA audits, including preparing for OCR audits, conducting self-audits, and minimizing the risks of HIPAA noncompliance.


The OCR recently provided insights about its Phase 2 HIPAA audits of compliance with the HIPAA and HITECH privacy, security and breach notification standards. With the rising number of data breaches, covered entities and business associates will continue to see increased scrutiny in this area, making careful HIPAA compliance essential.

Unlike the Phase 1 audits conducted by an outside contractor, OCR will conduct the Phase 2 audits. Some of the audits will be conducted by desk review, although comprehensive on-site reviews are also anticipated. Noncompliance with the HIPAA standards or failure to fully cooperate in the audits could result in the imposition of civil monetary penalties.

Healthcare counsel and privacy and security professionals must understand the scope and process for the Phase 2 audits to fully prepare covered entity and business associate clients for an audit. They should also guide clients in identifying and eliminating gaps in HIPAA compliance, particularly the common gaps that OCR identified through the Phase 1 audits.

Listen as our authoritative panel of healthcare attorneys discusses lessons learned from past audits, OCR Phase 2 audit scope and timeline, and how to prepare for audits using a risk-based approach. The panel will also offer best practices to identify risks of noncompliance and minimize said risks.



  1. OCR’s Phase 2 HIPAA audits
    1. Who will be included and selection process
    2. Scope
    3. Timelines
    4. Audit process
    5. Lessons learned from past audits
  2. Preparing for an OCR audit
  3. Conducting a self-audit
    1. Policies addressing privacy
    2. Security of PHI
    3. Reporting procedures
  4. Best practices for identifying and minimizing risks of noncompliance


The panel will address these and other key issues:

  • What lessons can be learned from OCR’s Phase 1 audits?
  • What is the Phase 2 audit process?
  • What steps should covered entities and business associates take to prepare for OCR audits?
  • What practices should covered entities and business associates employ to successfully navigate a Phase 2 audit?


Dianne J. Bourque
Dianne J. Bourque

Mintz Levin Cohn Ferris Glovsky and Popeo

Ms. Bourque counsels clients on the requirements of the HIPAA Privacy Rule and Security Standards. She regularly...  |  Read More

Ryan S. Higgins
Ryan S. Higgins

McDermott Will & Emery

Mr. Higgins focuses his practice on representing hospitals, health systems, private equity firms and platform...  |  Read More

Access Anytime, Anywhere

Strafford will process CLE credit for one person on each recording. All formats include course handouts.

To find out which recorded format will provide the best CLE option, select your state:

CLE On-Demand Video