The Office for Civil Rights (OCR) conducts HIPAA audits as a part of its health information privacy, security, and breach notification compliance activities. These audits serve multiple purposes in protecting healthcare information and ensuring HIPAA compliance.
For 2024-2025, the OCR has specifically focused its audits on addressing the growing threat of ransomware and malicious hacking in the healthcare sector, which according to a research paper, have intensified because of the increased use of technology. With the rising number of cyberattacks impacting hospital operations, patient care, and access to patient records, these audits have become more critical than ever.
Go deeper: Cyberattacks on the healthcare sector
Primary objectives
The OCR audit program aims to assess HIPAA compliance across a range of covered entities. These audits serve the following purposes:
- Examining compliance mechanisms
- Identifying and sharing best practices
- Discovering potential risks and vulnerabilities that might not surface through regular complaint investigations
- Preventing problems before they result in breaches
Current focus
The 2024-2025 HIPAA audit cycle will review 50 covered entities and business associates, specifically examining their compliance with HIPAA Security Rule provisions most relevant to hacking and ransomware attacks.
Related: What is a covered entity under HIPAA?
How to know if you’re a business associate
Benefits to healthcare organizations
These audits provide valuable benefits to healthcare organizations by:
- Offering OCR's assessment of their Security Rule compliance
- Providing guidance for improving cybersecurity measures for electronic protected health information (ePHI)
- Helping organizations identify and address potential vulnerabilities before they lead to breaches
Expected outcomes
Following the completion of the 2024-2025 HIPAA audits, OCR will publish an industry report summarizing their findings. This report will help healthcare organizations understand common compliance challenges and implement more effective security measures to protect against cyber threats.
FAQs
What triggers an OCR privacy audit?
OCR conducts periodic audits as required by the HITECH Act, selecting organizations based on various factors including size, type, and location.
What should organizations do to prepare for an audit?
Organizations should review their HIPAA compliance programs, ensure all documentation is current, verify staff training is up-to-date, and conduct internal security assessments focusing on ransomware and hacking prevention.
Read more: Preparing for an OCR HIPAA compliance audit
How long does an OCR privacy audit take?
The duration varies depending on the organization's size and complexity, but typically involves several weeks of document review and assessment. Organizations usually have specific timeframes to submit requested documentation.
Related: How long should HIPAA compliance audit logs be kept?
What happens if the audit reveals compliance issues?
OCR typically provides organizations with their findings and recommendations for improvement. While audits aren't primarily enforcement actions, significant compliance issues may lead to further investigation or corrective action plans.
