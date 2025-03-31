The HHS Office for Civil Rights resumed its HIPAA audit program in December 2024 after a seven-year hiatus. During the 2024-2025 audits, OCR plans to review the HIPAA compliance efforts of 50 covered entities and business associates, with a marked focus on the HIPAA Security Rule provisions most relevant to hacking and ransomware attacks.

The chosen entities will have to organize documentation and gather the necessary materials for OCR to assess the auditee's compliance with the HIPAA rules. Even if a covered entity or business associate was not chosen for this round of audits, preparing for future iterations of the HIPAA audit program can help entities bolster their security practices and identify compliance gaps.

HIPAA audit program history The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) requires HHS to conduct periodic audits of covered entities and business associates to assess compliance with the HIPAA Security, Privacy and Breach Notification rules. "The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches," the HHS website states. "OCR will broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges." In 2012, OCR conducted phase one of its audit program. The pilot audit program consisted of on-site audits of covered entities' documentation and compliance with the HIPAA rules. OCR also developed an audit protocol to guide its audit process. The protocol includes sections for every provision in HIPAA and describes key compliance activities, questions entities can apply when reviewing their compliance and measurable performance criteria. The 2016-2017 audits, known as phase two, included 166 covered entities and 41 business associates. The findings of these audits, published by OCR through an industry report, revealed that the audited covered entities were generally in compliance with just two of the seven areas audited -- timeliness of breach notification and prominent posting of a notice of privacy practices on their websites. However, the audits revealed gaps in several other areas, including failure to provide the required content for a notice of privacy practices and to implement individual right of access requirements. After the 2016-2017 batch of audits, the audit program was dormant until December 2024. Prior to the reemergence of the audits, the HIPAA audit program was the subject of a November 2024 HHS Office of Inspector General (OIG) report. OIG recommended that OCR expand its audit program and define metrics for defining the effectiveness of the audits. OCR concurred with most of OIG's recommendations but noted that it would need more funding and staffing resources to audit every provision within HIPAA. As such, OCR made it clear that it would focus future audits on specific provisions chosen based on industry trends and relevant risks to protected health information. In March 2024, HHS Secretary Robert F. Kennedy, Jr. announced sweeping cuts to the HHS workforce. Paired with previous offers of early retirement, the restructuring resulted in downsizing from 82,000 to 62,000 full-time employees across HHS. Given OCR's already lean workforce, it is unclear whether these cuts will impact OCR's audit program capabilities. Nonetheless, covered entities that prepare for potential audits can ultimately improve HIPAA compliance and further safeguard patient information.