OCR HIPAA Audit Program to Commence in 2024
The Health Information Technology for Economic and Clinical Health Act (HITECH) Act of 2009 requires the HHS’ Office for Civil Rights to conduct periodic audits of HIPAA-regulated entities to assess compliance with the HIPAA Rules. OCR Director Melanie Fontes Rainer has confirmed that audits will be taking place this year and will focus on HIPAA Security Rule compliance.
The HIPAA audit program was slow to commence, with the first round of audits conducted in 2012. There was then a long break before the second round of audits, which were conducted between 2016 and 2017, the findings of which were published by OCR in 2020. While OCR has been considering a permanent HIPAA audit program, multiple OCR directors have struggled to implement such a program due to a lack of resources. OCR’s budget has remained flat for years even though OCR’s workload has been increasing. OCR investigates all breaches of 500 or more records, which were reported at a rate of around 200 a year in 2010 and 2011. In 2014 more than 300 breaches were reported, and breaches more than doubled between 2017 and 2023 to 725 data breaches last year.
In addition to the increase in data breaches, the breaches are getting larger. In 2017, across the 358 reported breaches of 500 or more records, 5.13 million records were exposed or impermissibly disclosed. The following year almost 14 million records were compromised, 45 million records were breached in 2021, almost 52 million in 2022, and more than 133 million records were breached in 2023. That massive total will likely be eclipsed this year due to the ransomware attack on Change Healthcare. That attack alone could involve a similar number of records as 2023’s annual total.
The high numbers of data breaches now being reported strongly suggest that many healthcare organizations are not fully compliant with the HIPAA Security Rule or that the safeguards they have implemented to comply with HIPAA are not proving to be effective. Another round of audits is necessary to establish the current state of compliance and will help OCR’s future efforts to improve cybersecurity across the healthcare sector.
In February 2024, OCR published a notice in the Federal Register seeking feedback from entities audited in the second phase of audits to gather information that could be used to improve OCR’s future audit programs. The request for information was a sign that the audit program was being resurrected. The audit program is labor-intensive, and OCR’s resources are still stretched, despite some restructuring last year to get better use of its resources. While Fontes Rainer has confirmed that OCR is currently working on the program and audits will be taking place this year, an exact time frame has not been announced and the scale of the HIPAA audits is currently unclear.
OCR has learned from its investigations of data breaches that many HIPAA-regulated entities are failing to conduct comprehensive, accurate, organization-wide risk analyses to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information, and that poor risk analysis practices are a significant factor contributing to data breaches. In order for risks to be managed and reduced to an acceptable level, they must first be identified. HIPAA-regulated entities are failing to find and address those risks, but they are not proving difficult for hackers to find. According to Fontes Rainer, risk analysis failures are commonly identified during investigations of data breaches at small and medium-sized organizations.
OCR launched a new enforcement initiative last year that is focused on compliance with the risk analysis provision of the HIPAA Security Rule and has been conducting webinars and providing technical assistance to help HIPAA-regulated entities comply with this important Security Rule provision. The risk analysis and risk management provisions of the HIPAA Security Rule will be a major focus in the upcoming HIPAA audits, as well as broader Security Rule compliance. With the next round of HIPAA audits fast approaching it is important for HIPAA-regulated entities to prepare.
OCR stated in its recent Healthcare Sector Cybersecurity Strategy concept paper that it is working on an update to the HIPAA Security Rule that is anticipated to be finalized by the end of the year. While the 20-year-old Security Rule was written to be technology agnostic to stand the test of time, it is clear that updates are required to reflect changes in working practices and technology, such as widespread adoption of the cloud. The updates will ensure that cybersecurity practices that are now standard are reflected in the Security Rule, such as end-to-end encryption and multifactor authentication.
