The American Recovery and Reinvestment Act of 2009 (ARRA) tasked the Office of Civil Rights (OCR) (the division of the Department of Health and Human Services responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA) and regulations promulgated thereto) with conducting audits of covered entities and business associates for compliance with HIPAA. Phase One concluded in 2012, and covered entities and business associates have since been waiting for the rollout of Phase Two. The Phase Two audits will be the first time business associates may find themselves face-to-face with OCR, as Phase One audits did not include business associates. The protocol for Phase Two audits is to include changes to the regulations from the 2013 Omnibus Final Rule, which vastly expanded the types of entities falling within the definition of “business associate” and implemented regulations prescribed by the Health Information Technology for Economic and Clinical Health Act (HITECH) subjecting business associates to liability under HIPAA for compliance with the Security Rule and most of the Privacy Rule.
Phase Two audits were expected to begin in late 2014, but Jocelyn Samuels, the Director of OCR, recently announced that budgetary and staffing considerations have further delayed the rollout of Phase Two audits. Without specifying a specific date upon which the Phase Two audits would commence, Ms. Samuels did not downplay the imminence of such audits, explaining that the audits would begin “expeditiously.”