How to Prepare for Phase 2 HIPAA Compliance Audits

by Sarah Harvey / October 6th, 2017

The U.S. Department of Health and Human Services Office for Civil Rights announced on March 21, 2016 that Phase 2 of the HIPAA audits have officially begun. Now, more than a year later, 200 desk audits have occurred, but covered entities and business associates are still struggling to know what to focus on and in which areas they are lacking safeguards. In this webinar hosted by LockPath, Joseph Kirkpatrick shares his insights on trends from Phase 1 and 2 HIPAA audits and where we’re headed in 2018.

In Phase 1, we learned that 65% of findings were from the Security Rule. 42.7% of issues from the Security Rule were from Administrative Safeguards, 40.54% were from Technical Safeguards, and 16.76% were from Physical Safeguards. 81% of findings were from healthcare providers, and 66% of findings were from Level 4 entities.

In this presentation, we discuss a few different settlement and enforcement examples. Obviously, the Equifax breach gives us a lot to talk about, but, we also take a look at Anchorage Community Mental Health Services. They were fined $150,000 for failure to follow Security Rule policies and procedures and failure to identify and address risk. Next, we discuss the $4.3 million Civil Money Penalty on Cignet for violations of the Privacy Rule, failure to provide patients with medical records, and failure to cooperate with the Federal Government. Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) was fined $650,000 for failure to perform a thorough Risk Analysis and failure to implement appropriate security measures.

For covered entities, Phase 2 audits focused on Notice of Privacy Practices Content Requirements, Provision of Privacy Notices – Electronic Notice, Right to Access, Timeliness of Breach Notification, and Content of Breach Notification. For business associates, Phase 2 audits focused on Risk Analysis, Risk Management, and Breach Reporting to the Covered Entity. We recommend going over the detailed audit protocol information provided by the U.S. Department of Health and Human Services.

About LockPath

LockPath is a leader in integrated risk management solutions. Their suite of applications empower companies to manage risk, demonstrate compliance, monitor information security, and achieve audit-ready status. Companies ranging from 10-person offices to Fortune 10 enterprises in over 15 industries address the Gartner IRM use cases with LockPath solutions. In 2017, they are expanding their application portfolio to provide more efficient and effective programs. Learn more at