How will the selection process work for Phase 2 HIPAA audit?

Once entity contact information is obtained, a questionnaire designed to gather data about the size, type, and operations of potential auditees will be sent to Covered Entities and Business Associates. As a part of the pre-audit screening questionnaire, OCR is asking that entities identify their business associates. We encourage covered entities to prepare a list of each business associate with contact information so that they are able to respond to this request. OCR will conduct a random sample of entities in the audit pool. Selected auditees will then be notified of their participation.

If a Covered Entity or Business Associate fails to respond to information requests, OCR will use publically available information about the entity to create its audit pool.  An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.