HIPAA audits are coming. These are part of a ramped-up enforcement strategy at the Office for Civil Rights (OCR), which oversees HIPAA. The audits, with new cybersecurity guidelines and changes to the Privacy and Security rules, aim to strengthen HIPAA compliance in the healthcare sector, which continues to be vulnerable leaving patient privacy at risk.
The U.S. Department of Health and Human Services (HHS) announced a HIPAA audit survey in the Federal Register on February 12, 2024. Later, the OCR director confirmed that random audits of covered entities and business associates would begin later this year.
Do not wait for the auditors to call. Now is the time to prioritize HIPAA compliance so you can pass.
HHS and OCR first plan to evaluate the effectiveness of the last HIPAA audit program, Phase 2, which ended in 2017. OCR will survey the 207 organizations that participated in the Phase 2 audits. The online survey of 39 questions will ask for information about HIPAA compliance actions taken after those audits to evaluate their effectiveness and the counseling the organizations obtained from OCR in response to the audits.
The survey will allow regulated entities to give HHS feedback on the audits, such as whether HHS guidance was helpful and whether the audit helped improve compliance. The survey also asks for information about the burden the audits place on entities – specifically regarding the collection of necessary documents and audit-related requests – and how the audit program impacts day-to-day business operations.
HIPAA Audits are Part of a Larger Enforcement Strategy
On February 14, 2024, OCR Director Melanie Fontes Ranier confirmed to Information Security Media Group (ISMG) that OCR audits are returning.
“OCR intends to initiate audits of HIPAA-regulated entities later this year. These audits can assist regulated entities in improving their HIPAA compliance and their protection of health information.”
In December 2023, HHS announced a new strategy for the healthcare sector to improve cybersecurity. OCR also plans to begin updates to the HIPAA Security Rule in the Spring of 2024; we’ve previously reported on coming changes to the Privacy Rule.
An HHS OCR spokesperson speaking to ISMG said,
“Future audits will continue to provide insight into how regulated entities are implementing the requirements of the HIPAA Rules,”
Return of the audits is also consistent with enhanced enforcement, such as the cooperation between OCR and the FTC on website tracking technology violations.
Phase 2 HIPAA Audits Revealed Huge Gaps
The first HIPAA audit program started in 2011 after the HITECH Act of 2009 required OCR to conduct audits. Phase 1 audits took place in 2011-2012. However, the audit program has not been consistent since then, and consequently, regulated entities have not felt pressure to improve compliance.
In the most recent round of Phase 2 audits completed in 2017, OCR discovered widespread shortcomings in compliance by both covered entities and business associates. In its December 2020 HIPAA Audits Report, HHS described the critical areas of noncompliance.
Generally, covered entities demonstrated compliance in only two of the seven areas audited: (1) timeliness of breach notification and (2) prominent posting of the Notice of Privacy Practices on their websites. However, covered entities did not comply with the individual right of access requirements and content of breach notification provisions. The report also explained that covered entities still struggle to implement HIPAA’s risk analysis and risk management requirements.
The HIPAA E-Tool® Keeps You Compliant and Up-to-Date
You can pass a HIPAA audit with flying colors with The HIPAA E-Tool®. We monitor the law and update the E-Tool as soon as changes occur.
The HIPAA E-Tool® Contains the Audit Protocols
All policies and procedures of The HIPAA E-Tool® are completely aligned with all 180 HIPAA Compliance Audit Protocols (questions, inquiries and document requests) of HHS. We added the audit protocols to the E-Tool after HHS issued its report in 2020 to help entities self-audit to maintain compliance and to help them manage an OCR audit.
If you’d like help improving compliance, give The HIPAA E-Tool® a call.