After a seven-year break, the Office for Civil Rights (OCR) restarts its HIPAA privacy audits because of the surge in cyberattacks targeting healthcare organizations.
The OCR is set to resume its HIPAA privacy audits after a seven-year hiatus, in response to a significant rise in cyberattacks targeting healthcare organizations. This reconsideration aims to enhance protections for patients' electronic protected health information (ePHI) and ensure HIPAA compliance.
The last HIPAA audits were conducted between 2016 and 2017, and the findings from these audits were released in 2020. The Office of the Inspector General (OIG) has called for enhancements to the HIPAA audit program to bridge the gaps in the way that protections for ePHI were assessed.
The background of previous audits reveals that OCR audited 166 covered entities and 41 business associates between 2016 and 2017. The findings showed significant vulnerabilities in data security practices. OIG's recent report identified two leading weaknesses in OCR’s past audit program: a narrow scope that failed to effectively assess protections for ePHI, and ineffective oversight that did not sufficiently improve cybersecurity among audited entities.
In response to these findings, OCR has agreed to expand the scope of future audits to include physical and technical safeguards, develop criteria for compliance reviews, and establish metrics to monitor the effectiveness of the audits.
The overall enforcement will involve reviewing complaints, investigating breaches affecting 500 or more individuals, and pursuing resolution agreements or formal enforcement actions where necessary.
The expected timeline for resuming HIPAA audits is later this year or early 2025. Healthcare organizations should prepare by reviewing and strengthening their HIPAA compliance programs. This includes ensuring up-to-date and comprehensive HIPAA security risk analyses, policies that meet HIPAA Privacy, Security, and Breach Rule requirements, workforce HIPAA training, and business associate agreements (BAA) where required. Additionally, organizations should ensure their Notice of Privacy Practices is compliant and properly distributed. The expanded audit scope will require healthcare providers to enhance their physical and technical safeguards and be ready for more stringent oversight from OCR.
Related: What are the HIPAA requirements after a breach?
The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI.
If a healthcare organization fails to comply with HIPAA requirements, OCR may initiate an investigation and pursue enforcement actions. This can include settlement agreements with corrective action plans, civil monetary penalties, and, in cases of willful neglect, formal enforcement actions.
Read more: What happens when you fail to send a breach notification
Future HIPAA audits will have an expanded scope to include physical and technical safeguards. OCR will focus on specific provisions based on industry trends and prevalent risks, ensuring a more comprehensive assessment of healthcare organizations' data security practices.