Physician Practice

Q&A: You’ve got questions! We’ve got answers!

Physician Practice Insider, February 7, 2017

Submit your questions to Associate Editor Nicole Votta at and we will work with our experts to provide you with the information you need.

Q: The Office for Civil Rights (OCR) has said that the comprehensive HIPAA audits will occur in 2017. We received a pre-audit letter as a CE but were not audited as part of the CE round of phase two desk audits. What is included in the comprehensive audits, and is there a chance we will be audited?

A: At this time, little is known about what will be examined as part of the comprehensive HIPAA audits.  OCR indicated at the AHIMA Privacy and Security Institute on October 16 that it will release more detailed information about what will be covered as part of the comprehensive audits soon.

OCR indicated that it expects to kick off the comprehensive audits in early 2017. OCR will be using the same pool it drew from to select CEs and BAs for the comprehensive audit. For BAs, that pool is limited to only the BAs that were reported to OCR by CEs during round one of the phase two desk audits. Per OCR, CEs who received pre-audit letters and were not audited, CEs who were audited, and CEs who did not receive a pre-audit letter, have an equal chance to be selected for the comprehensive audits. BAs who were selected for a desk audit and those that were not also have an equal chance of being selected for a comprehensive audit in 2017.

Editor’s note: Chris Apgar, CISSP, president of Apgar and Associates, LLC, in Portland, Oregon, answered this question for Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your questions to Associate Editor Nicole Votta at

Most Popular