Navigant's Cyber Risk and Information Security PracticeLearn More


Phase 2 HIPAA Audits10 May 2017


Phase 2 Audits for the Health Insurance Portability and Accountability Act (HIPAA) are currently underway and medical practices should be aware that the Office of Civil Rights (OCR) is targeting an increasingly broad range of covered entities and business associates. This comprehensive approach is likely to continue when they begin Phase 3 Audits. HIPAA is designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other healthcare providers.

Over the past 10 years, dental offices have had difficulties with HIPAA compliance due to requirements for ongoing training, overwhelming policies and procedures, complex risk assessment management plans, and documentation. Many dental offices are self-contained entities; however, they are still required to comply with the full range of HIPAA safeguards and rules. The HIPAA rules for dentists apply to any dental office that sends claims, eligibility requests, pre-determinations, claim status inquiries or treatment authorization requests electronically. Policies must be developed to instruct dental office employees on procedures for the use, disclosure and safeguarding of the electronic protected health information (ePHI) – not only to patients and colleagues, but also to business associates.

Phase 2 of the OCR Audits span “Covered Entities (CE’s) and Business Associates (BA’s).” The audits will review policies and procedures employed by CE’s and BA’s to meet the requirements of the Privacy, Security & Breach Notification Rules. They will be comprised of mainly desk audits and some on-site audits. Therefore, dental practices need to have a current HIPAA risk analysis in place. Make sure that the Notice of Privacy Practices is current and acknowledgement of receipt forms are maintained. Policies and procedures should be in place to identify and respond to breaches. The OCR will also want to see how the practices respond to patient requests to access and amend their records.

These Audits have become more stringent with rules and policies so preparation is of the utmost importance. Penalties and fines can range from $50,000 per violation up to a maximum of $1.5 million. The fines are issued per violation category, per year that the violation was allowed to persist. Make sure that your practice is prepared. For more information on preparing for a HIPAA Compliance Audit, please contact COMPASS at or 667-401-5108.

Work With Us Learn How