OCR’s Third Phase of HIPAA Compliance Audits Underway
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has confirmed that the long-awaited third phase of its HIPAA compliance audits is underway and will involve HIPAA compliance audits of 50 covered entities and business associates.
The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 requires OCR to conduct periodic audits of HIPAA-regulated entities to assess their compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The first phase of HIPAA audits commenced in 2012 and consisted of 115 audits (61 healthcare providers, 47 health plans, and 7 healthcare clearinghouses). The much-delayed second phase of compliance audits was conducted in 2016/2017 and involved 207 desk audits (166 covered entities and 41 business associates). Both rounds of audits identified widespread non-compliance with the HIPAA Rules, with most entities audited in the second phase found to have largely failed to successfully achieve HIPAA compliance.
The third phase of HIPAA audits has also faced considerable delays due to a lack of resources. OCR’s workload has increased considerably, yet its budget has remained flat. OCR investigates all data breaches that affect more than 500 individuals. In 2010 and 2011, approximately 200 large data breaches were reported to OCR each year by HIPAA-regulated entities. In 2020, more than three times as many data breaches were reported, and for the past 4 years, more than 700 large data breaches have been reported each year. On top of that, the number of complaints filed with OCR about potential HIPAA violations has continued to increase. There was a 306% increase in complaints between 2010 and 2023.
In early 2024, OCR sought feedback on ways it could improve its HIPAA audit program, and in the summer of 2024, despite the financial challenges faced by OCR, then OCR Director Melanie Fontes-Rainer confirmed that the HIPAA audit program would commence before the end of the year. Tim Noonan, OCR’s deputy director of health information privacy, recently confirmed that the third phase of compliance audits commenced in December 2024 and consists of reviews of compliance with certain provisions of the HIPAA Security Rule most relevant to the prevention of hacking and ransomware attacks. Noonan explained that between 2020 and 2024, hacking incidents increased by 30% and there was a 45% increase in ransomware attacks on the healthcare sector, with 81% of all data breaches reported to OCR last year due to hacking.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The HHS Office of Inspector General conducted an audit of OCR’s 2016/2017 audit program and found that they were narrow in scope, only assessing compliance with 8 of the 180 HIPAA Rule requirements, and only two related to the administrative safeguards of the HIPAA Security Rule. It is currently unclear exactly what HIPAA requirements are being assessed in the audits. According to OCR, “These Audits will give OCR an opportunity to examine mechanisms for compliance, identify promising practices for protecting the privacy and security of health information, and discover risks and vulnerabilities that may not have been revealed by OCR’s enforcement activities.”
