As you may have recently read (for example, “HHS/OCR Announces Launch of HIPAA Audit Program Phase 2”), the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has started “Phase 2” of its audit program. Like the Phase 1 audits, OCR intends to use the audits to examine compliance mechanisms, identify best practices and discover risks and vulnerabilities to enhance compliance with HIPAA’s Privacy, Security, and Breach Notification Rules. Phase 2 will be primarily desk audits, although OCR will conduct some on-site audits. If an audit reveals serious compliance issues, OCR might also launch an investigation. So now is the time to look at HIPAA compliance for your health plan and take corrective action, if needed. Business associates should do the same, as they are also subject to Phase 2 audits.