As we know, the Phase II HIPAA audits are underway for both Covered Entities and Business Associates.
In Ober|Kaler’s recent webinar, HIPAA Audits Have Arrived (Again), we cautioned that OCR’s notification letters regarding audit selection may be erroneously categorized as spam. This concern was validated by a recent message from OCR containing the same warning. Therefore all Covered Entities and Business Associates should search their spam or junk folders for messages from OSOCRAudit@hhs.gov. Covered Entities and Business Associates that do not get the notification or do not respond may still be selected, and such nonresponse will require OCR to look at publicly available information to answer its initial questions. This also denies the Covered Entity or Business Associate the ability to craft its responses to the initial audit questions, which could create a disadvantage.