OCR Says HIPAA Audits Will Resume: OIG Makes Recommendations for Enhancement

Recognizing the increasing number of successful cyberattacks targeting health care organizations and their valuable patient data, the Office of the Inspector General (OIG) is calling for enhancements to the HIPAA audit program. In its response to OIG and as detailed below, the Office for Civil Rights’ (OCR) noted that HIPAA audits were expected to resume later this year, presumably meaning in the last few weeks of 2024 or early 2025. OCR last conducted HIPAA audits in 2016-2017, auditing 166 covered entities and 41 business associates. OCR released the findings of those audits in 2020.In its report published in November 2024, OIG highlighted two primary findings:Narrowly Scoped HIPAA Audit Program. OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess protections for electronic protected health information (ePHI) and demonstrate a reduction of risks within the health care sector.Ineffective OCR Oversight. OCR oversight of the HIPAA audit program was not... Read the complete article here...© 2024 Foley & Lardner LLP

featured-image

Recognizing the increasing number of successful cyberattacks targeting health care organizations and their valuable patient data, the Office of the Inspector General (OIG) is calling for enhancements to the HIPAA audit program. In its response to OIG and as detailed below, the Office for Civil Rights’ (OCR) noted that HIPAA audits were expected to resume later this year, presumably meaning in the last few weeks of 2024 or early 2025. OCR last conducted HIPAA audits in 2016-2017, auditing 166 covered entities and 41 business associates.

OCR released the findings of those audits in 2020. In its report published in November 2024, OIG highlighted two primary findings: Narrowly Scoped HIPAA Audit Program. OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess protections for electronic protected health information (ePHI) and demonstrate a reduction of risks within the health care sector.



Ineffective OCR Oversight. OCR oversight of the HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates. In addressing these concerns, OIG made various recommendations for OCR to enhance its HIPAA audit program.

OCR responded to the OIG findings in an August 2024 letter, which OIG published with its report. Here is a summary of OIG’s recommendations for actions by OCR and OCR’s respective responses. Audit Physical and Technical Safeguards : Expand the scope of HIPAA audits to assess compliance with HIPAA Security Rule physical and technical safeguards.

OCR agreed with this recommendation, stating that it will focus future audits on specific provisions based on a variety of factors, including industry trends and the most prevalent risks and vulnerabilities to PHI. Additionally, OCR indicated that future audits may include selected provisions from the HIPAA Security Rule, including physical or technical safeguards. Ensure Deficiencies are Corrected : Document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner.

OCR did not concur with this recommendation, stating (i) OCR does not have legal authority in all cases to require such injunctive relief; (ii) OCR does not have the staff or financial resources to pursue this against every audited entity; and (iii) this does not align with the purpose of the HIPAA audit program, where the goal is to provide technical assistance to audit participants where deficiencies are found. Determine When a Compliance Review is Warranted : Define and document criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review. OCR agreed with this recommendation, stating it plans to initiate HIPAA audits “later this year” and would develop criteria identifying what factors it would consider in deciding whether to initiate a compliance review of an audited entity where identified compliance issues had not been corrected.

Given that the end of the year is almost here, it is unclear how OCR would maintain that timeline at this point. Notwithstanding, covered entities and business associates should be aware that OCR plans to recommence HIPAA audits and take any necessary steps to ensure compliance with the HIPAA Rules. Metrics to Monitor Effectiveness : Define metrics for monitoring the effectiveness of OCR’s HIPAA audits at improving audited entities’ protections over PHI and periodically review whether these metrics should be refined.

OCR agreed with this recommendation and stated it will be surveying covered entities and business associates that previously participated in the audits. The survey responses will be used to track how audited entities updated their HIPAA compliance following the audit. Enforcement Process The OIG report included a summary and diagram of OCR’s enforcement process of potential HIPAA violations.

In summary, OCR reviews complaints received through OCR’s complaint portal, events or incidents brought to OCR’s attention (e.g., by breach reports, media, referrals from other agencies, etc.

), or patterns identified through received complaints. OCR must investigate all breach reports affecting 500+ individuals. OCR may commence an investigation if there is a serious compliance issue identified or for breaches affecting less than 500 individuals.

If there is a possible criminal violation, OCR will refer the incident to the Department of Justice, who may perform a criminal investigation in addition to OCR’s civil investigation. OCR will collect a variety of evidence to determine whether the entity was in compliance with the HIPAA Rules. HIPAA-regulated entities are legally required to cooperate with complaint investigations and compliance reviews.

Where OCR finds indications of noncompliance due to willful neglect or determines that the nature and scope of the noncompliance warrants further enforcement action, OCR will pursue a resolution agreement involving a settlement payment and an obligation to complete a corrective action plan to address compliance issues. If OCR and a HIPAA-regulated entity cannot reach an agreement, or if there is a breach of the terms of such a resolution agreement, OCR may pursue formal enforcement, including a civil monetary penalty. Key Takeaways The key takeaway is that OCR is committed to recommencing HIPAA audits and the scope will be expanded from the previous audits.

In expectation of the resumption of these audits, covered entities and business associates should review their HIPAA compliance programs, including ensuring they have an up-to-date and comprehensive HIPAA security risk analysis, policies sufficient to meet the requirements of HIPAA Privacy, Security, and Breach Rules, HIPAA training for workforce members, and business associate agreements in place where required by HIPAA..