In October 2015, the Office of Inspector General (OIG) of HHS released a report on HIPAA privacy compliance audits. The study reviewed a sample of privacy cases that were investigated between September 2009 and March 2011. What they found was that 54% of entities sampled were out of compliance and that not enough was being done to investigate noncompliance before a complaint was made.

As a result, the study concluded that the Office for Civil Rights (OCR) should:

1. Fully implement a permanent audit program;
2. Maintain complete documentation of corrective action;
3. Develop an efficient method of its case-tracking system to search for and track covered entities;
4. Develop a policy requiring OCR staff to check whether covered entities have been previously investigated; and
5. Continue to expand outreach and education efforts to covered entities.

In an effort to combat these breaches, HHS announced that it will be launching “phase two” of its audits in early 2016.  According to OCR, phase two will “test the efficacy of desk reviews of policies as well as on-site reviews; it will target common areas of noncompliance; and it will include HIPAA business associates. The scope and structure of the audit program long-term will ultimately depend upon the availability and allocation of resources for the program.”