The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) began a pilot program in 2012 to assess the procedures implemented by covered entities to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA). OCR evaluated the effectiveness of the pilot program and then announced Phase 2 of the program on March 21, 2016. Phase 2 Audits focus on the policies and procedures adopted by both covered entities and business associates to ensure they meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. Covered entities include health plans, health care clearinghouses, and health care providers; whereas, business associates include anyone handling health information on behalf of a covered entity.

The Health Insurance Portability and Accountability Act (HIPAA) established national standards to secure and protect the privacy of health information. The Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) to conduct audits of covered entities and business associates in order to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules.