HIPAA audits have begun despite staff cutbacks and restructuring at the U.S. Department of Health and Human Services (HHS). The HHS Office for Civil Rights (OCR), which enforces HIPAA, will conduct the audits.
HIPAA Audits History
The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) requires HHS to periodically audit HIPAA compliance of covered entities and business associates.
This will be the third phase of HIPAA audits: the first phase occurred in 2011-1012, and the most recent phase occurred in 2016-2017. During Phase 2, OCR discovered that the most significant failure among regulated entities was the inability to conduct a HIPAA risk analysis.
A strong HIPAA risk analysis and risk management plan are the core of HIPAA compliance and the best way to combat cyber attacks like ransomware.
HIPAA Audits Today
As noted by HHS, ransomware, destructive malware, and other malicious hacking continue to threaten the U.S. health care and public health sector and the privacy and security of electronic protected health information (ePHI).
In recent years, HIPAA covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and business associates have faced devastating cyberattacks that negatively impacted hospital operations, patient care, and access to patient records. These cybersecurity incidents have led to significant financial repercussions for the industry and have harmed individuals whose personal information was compromised. HHS believes these losses demonstrate that HIPAA covered entities and their business associates would benefit from HIPAA Security Rule compliance audits.
Tim Noonan, deputy director for health information privacy, data, and cybersecurity at OCR, described the audits during a prerecorded virtual HIPAA summit that aired last week. He noted that the audits are designed to address the HIPAA provisions most relevant to ransomware and hacking.
According to Noonan, from 2020 through 2024, hacking incidents increased by 30%, and ransomware attacks rose by 45% in major health data breaches reported to HHS OCR.
And in 2024, 81% of major breaches affecting 500 or more individuals reported to HHS OCR involved hacking.
Structure of the 2025 HIPAA Audits
The current HIPAA audits will review 50 organizations’ compliance with selected provisions of the HIPAA Security Rule. The Audits will examine methods of compliance, identify promising practices for protecting the privacy and security of health information, and discover risks and vulnerabilities that OCR’s enforcement activities may not have revealed. OCR says the audits will benefit the selected covered entities and business associates by assessing their Security Rule compliance and information on improving their cybersecurity defenses of electronic protected health information.
OCR will publish a report summarizing its findings after the audits are completed.
HIPAA Security Rule Update is Pending
Other work underway at OCR includes reviewing public comments on proposed updates to the Security Rule. After all the comments are evaluated, OCR will work within HHS on what future actions it will take on the proposed changes.
The HIPAA E-Tool® Solves Audits
The HIPAA E-Tool® is the easiest way to sharpen your Security Rule compliance. The Security Rule Checklist in the E-Tool walks you through all the Security Rule safeguards in a logical, easy-to-understand way.
To manage an audit, The HIPAA E-Tool® is the only HIPAA compliance solution that contains all 180 audit protocols (questions and requests for documents) published by OCR after the Phase 2 audits. These protocols apply to the Privacy, Security, and Breach Notification Rules.
The Security Rule includes 72 audit protocols, from encryption to information access management to data backup to contingency operations, among many more. With clickable links from the audit protocols to your policies, The HIPAA E-Tool® turns an expensive headache into an A+ grade in far less time.
Call The HIPAA E-Tool® for fast help today. Or you can download your one-page guide to prepare for a HIPAA audit here.
