HHS OCR Initiates Latest Series of HIPAA Compliance Audits

The U.S. Department of Health and Human Services (HHS) has initiated HIPAA compliance audits of covered entities and business associates, marking the first round of assessments in close to a decade. This move seeks to address the significant uptick in ransomware and hacking incidents reported to federal authorities in recent years.

As Tim Noonan, deputy director of health information privacy, data, and cybersecurity for HHS Office for Civil Rights (OCR), explained during a virtual HIPAA summit, the audits will closely examine the provisions of HIPAA that are most relevant to safeguarding against cyber threats. The 2024-2025 audit cycle, which commenced in late December, encompasses 50 covered healthcare organizations and their business associates.

Noonan highlighted the pressing nature of these audits, noting that from 2020 to 2024, there has been a 30% increase in hacking incidents classified as major health data breaches, while ransomware attacks have surged by 45%. In 2024 alone, 81% of significant breaches reported to HHS OCR involved hacking, underscoring the critical vulnerabilities in the healthcare sector.

Specific details regarding the provisions of the HIPAA security rule being examined, as well as the criteria for selecting audit subjects, were not disclosed. HHS OCR has yet to respond to inquiries seeking further information about the audit timeline and the precise aspects of HIPAA compliance under scrutiny.

These audits were previously mandated under the HITECH Act of 2009 but have been dormant since 2016-2017. Recently, HHS OCR reiterated its intent to revitalize the audit program, a development highlighted in a February 2024 announcement that described the agency’s intention to conduct a survey of organizations that underwent previous audits to evaluate program effectiveness and identify areas for improvement.

In November 2023, a report from the HHS Office of Inspector General (OIG) called for the resumption of the HIPAA audit program, emphasizing the necessity of establishing standards to rectify deficiencies discovered during audits in a timely manner. HHS OCR responded by citing resource constraints as a factor that hindered the prompt relaunch of the audit initiative.

The agency articulates that the ongoing audits provide a vital opportunity to assess the mechanisms of compliance, pinpoint best practices for protecting health information, and uncover risks that may remain obscured by previous enforcement actions. Following the conclusion of the 2024-2025 audits, HHS OCR plans to publish a comprehensive report detailing its findings.

Additionally, focus is shifting to the proposed updates to the HIPAA security rule, with HHS OCR recently beginning to analyze public comments submitted on the proposal made in January. As the agency assesses these insights, it will ponder future actions that may refine and bolster compliance standards in the ongoing endeavor to protect sensitive patient data.