Resource Tools

Our Team

We welcome the opportunity to put our experience and perspective to work for you. Please contact us.


Deborah Gersh
+1 312 845 1307


Timothy M. McCrystal
+1 617 951 7278

Resource Tools

The U.S. Department of Health and Human Services’ Office for Civil Rights has announced the second phase of its HIPAA audit program. In view of the OCR’s recent increase in enforcement activity, it is imperative for organizations to prepare.

What To Do

  • Look out for an OCR e-mail
    • Notification letters were sent to covered entities on July 11, 2016
    • Check your e-mail spam folder periodically
  • Ensure that an OCR e-mail is legitimate
    • Check to see that the email is
      • Sent from
      • Substantially similar to this letter
      • Not prompting you to provide log-in credentials, PHI or other confidential information; only asking for organization’s primary contact
    • If the e-mail doesn’t appear legitimate, do not respond and report it to the OCR
  • Respond and prepare
    • Provide requested contact information
    • Review your current compliance plan
    • Review your company’s risk analysis and address concerns
      • Review your entity’s current HIPAA security risk assessment and plan
      • Examine your entity’s protections for mobile devices, such as remote wiping and/or remote disabling technology
      • Examine security protections for ePHI, such as encryption
      • Assess your entity’s disaster recovery plan and procedures for terminating PHI access for ex-employees
      • Ensure that the risk analysis and policies are up to date
      • Remind employees about the minimum necessary standard
      • Prepare a list of business associates and their contact information
    • Respond to pre-audit screening questionnaire
    • Provide requested list of your business associates

How We Can Help

  • HIPAA Audit Overview
    • What to expect and how to prepare for the HIPAA audit program
  • Self-assessment toolkit
    • A checklist that covered entities and business associates can use to conduct a preliminary self-assessment (complimentary offering)
  • Primer/CLE Presentation
    • Overview of the audit process and steps that can be taken to prepare for it (complimentary offering)
  • Hotline/Helpdesk
    • Monthly bank of hours dedicated to counseling on general HIPAA compliance and/or preparation for pending audits (offered at a fixed fee)
  • Policy Audit and Gap Analysis
    • Review of your company’s existing policies for HIPAA privacy compliance gaps and suggested steps for improving compliance and mitigating risks (offered at a fixed fee)
  • Model Policies and Procedures
    • Suite of HIPAA privacy and security policies, including data breach notification policies, privacy procedures and training materials (offered at a fixed fee)
Cookie Settings