If you want to build a robust compliance program, you should let go of doing everything perfectly. HIPAA can be overwhelming, especially when you wear multiple hats: you might be training staff, organizing meetings, helping patients, reviewing finance, or working on IT. With limited time and resources, you need to maximize gains for your efforts.

The solution is to find the right priorities and do them well.

HIPAA Enforcement Priorities

For example, you can learn what the Office for Civil Rights (OCR), the HIPAA enforcement office, is focused on and double down on those issues. As time permits, return to complete all the tasks, but do them at a pace that helps you do them well; don’t rush to do everything at once.

OCR Director Melanie Fontes Rainer has shared the agency’s 2024 priorities, including its enforcement plans, in presentations and interviews since February.

The enforcement priorities should be a key focus of your compliance efforts.

When it comes to investigations, OCR prioritizes ones that follow HIPAA complaints and breach trends and summarizes its enforcement focus on the following four areas:

• Hacking
• Ransomware
• Right of Access Enforcement Initiative (this has been in place since 2019)
• Risk Analysis Enforcement Initiative (this is new, announced in February 2024)

At the HIPAA Summit in February, Director Rainer outlined how hacking/IT incidents are skyrocketing in healthcare and are responsible for the largest proportion of data breaches at regulated entities. As a result, OCR wants covered entities and business associates to do more to prevent hacking, with improvements to cybersecurity defenses.

She also explained that the number of individuals affected by these breaches grew exponentially from 2018 to 2023, from 15.2 million to 134.7 million. The chart here shows this growth occurring among large breaches reported to OCR over those six years, i.e., breaches affecting 500 or more individuals.

The huge growth in the number of individuals affected (ninefold) compared to the increase in the number of breaches (doubled) illustrates that larger companies, including business associates, are getting hacked: a few examples of the larger ones since 2018 include American Medical Collections Agency, LabCorp, and Optum 360 in 2019; Welltok, HCA Healthcare, and Maximus in 2023. The trend continues in 2024, with the Change Healthcare breach affecting 1 in 3 Americans.

Follow the HIPAA Security Rule

Because hacking/IT incidents comprise a large share of healthcare data breaches, OCR prioritizes Security Rule enforcement. For fifteen years, from 2009 through 2023, hacking/IT incidents caused 49% of the large breaches; in the first two months of 2024, they were responsible for 74%.

In an interview with Information Security Media Group (ISMG) in May 2024, Director Rainer indicated that OCR’s investigations revealed that “time and time again, covered entities don’t have a Risk Analysis on the front end.” Without it, organizations are unable to manage their risks. As a result, OCR has begun a Risk Analysis Initiative, an enforcement priority. In addition to enforcement, the Initiative includes education and technical assistance to help regulated entities understand their responsibilities.

OCR underscores that the National Institute of Standards and Technology (NIST) has a revised cybersecurity resource guide to “improve understanding of the HIPAA Security Rule, drive compliance with the law, and bolster cybersecurity.”

In the same interview with ISMG, Director Rainer noted that the Security Rule is under review, and changes to modernize it and keep up with technological advances are likely. In the meantime, regulated entities should conform to the voluntary Cybersecurity Performance Goals (CPGs) to prepare for changes.

HIPAA Audits are Coming

Finally, Director Rainer has explained that OCR plans to begin a new round of random HIPAA audits. While OCR has indicated it expects the audits to start later this year, the exact timing is unknown. OCR first plans to survey audited entities to determine how effective the prior audit round was and whether the process can be improved. The HITECH Act of 2009 mandates OCR to conduct audits, so it’s not a question of whether they’ll happen but when.

In conclusion, your HIPAA compliance priorities today should be:

1. Do a HIPAA Risk Analysis. If you have one, review it and refresh it with today’s information. One should be done at least annually.
2. Review the Right of Access rule with patient-facing staff. Make sure patients who request access are provided the records they request promptly and at a reasonable or low cost.
3. The IT staff should review the most recent NIST Guidance and the CPGs.