OCR Director Jocelyn Samuels recently stated that audit procedures for phase two HIPAA audits have yet to be finalized, delaying the start date of the audits, according to lexology.com . OCR originally planned to begin phase two audits in fall 2014.
Unlike phase one, the second phase of HIPAA privacy, security, and breach notification audits will likely be desk-based, which means OCR will not conduct on-site audits of covered entities (CE) and business associates (BA) unless resources are available. OCR representatives confirmed during a panel at the 2014 AHIMA Convention and Exhibit September 30, 2014, that the agency had begun its process of randomly selecting CE for the next round of audits, but had not sent notifications to facilities yet. At minimum, it will include large and small hospitals, dental practices, health insurance companies, and health plans in its pool of organizations that may be selected for an audit. BA audits are expected to begin after CE audits are underway, according to the panel.
Visit the OCR audit program website  for the latest on HIPAA audits.