HHS OCR Plans to Resurrect Random HIPAA Audits

As U.S. federal regulators fine-tune a strategy to push the healthcare sector into strengthening
its cybersecurity posture, they are revisiting a HIPAA compliance audit program that’s been
dormant since 2017. A new round of HIPAA audits for regulated entities is in the works.

The Department of Health and Human Services recently published a notice saying that its
Office for Civil Rights would be pulling the trigger soon on a study to assess its HIPAA
compliance audit program, last used in 2017.

HHS OCR officials on Wednesday confirmed that new HIPAA audits are indeed on the way.
“OCR intends to initiate audits of HIPAA-regulated entities later this year. These audits can
assist regulated entities in improving their HIPAA compliance and their protection of health
information,” said Melanie Fontes Rainer, OCR director.

The audits also will evaluate regulated entities’ compliance with potential changes to the HIPAA
Security Rule that the agency is planning for this year.

“Any future potential changes to the HIPAA Security Rule will be incorporated into future
audits,” an HHS OCR spokesperson told Information Security Media Group. “OCR intends to
initiate new audits of HIPAA-regulated entities’ compliance with the HIPAA rules, and this
information will assist OCR in its future audits.”

The agency said it is conducting a review of the 2016-2017 HIPAA audits to determine how
effective they are at assessing the HIPAA compliance efforts of covered entities.
HHS OCR was mandated to conduct HIPAA audits under the HITECH Act of 2009, but the
effort was slow to take off.

“This issue is significant,” said regulatory attorney Paul Hales of the Hales Law Group. “Neither
covered entities nor business associates expect a federal audit of their HIPAA compliance.”
Between 2016 and 2017, in its most recent round of compliance audits, HHS OCR reviewed a
little over 200 covered entities and business associates through remote audits.

In December 2020, HHS OCR finally issued a report on its findings from the HIPAA compliance
audit program conducted in 2016 and 2017 that illustrates the shortcomings of covered entities
and business associates that were chosen for reviews.

The shortcomings spotlighted in the report are still common today, including the failure to
conduct a security risk analysis and to give patients access to their records.

The audit covered only seven topics, “and all CEs and BAs knew they were on the shortlist for
audit and knew the questions in advance,” Hales said. HHS OCR published its audit protocols
in advance of the audits. “Nevertheless, 86% of covered entities and 83% of business
associates failed the risk analysis audit, and 94% of CEs and 88% of BAs failed the risk
management audit,” Hales said.

If you have questions about risk management or risk analysis audits or what the OCR’s pivot
back to HIPAA compliance audits means for your organization, call ITPAC today.