Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

HHS OCR back with random HIPAA audits

HHS OCR back with random HIPAA audits

The US Department of Health and Human Services’ Office for Civil Rights has announced that it will revive its HIPAA compliance program after a seven-year hiatus.


What happened?

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced that new HIPAA audits are on the way, to improve healthcare organizations' HIPAA compliance and protection of health information. The audits will also evaluate regulated entities' compliance with potential changes to the HIPAA Security Rule. 

HHS OCR plans to conduct a 39-question online survey of 207 covered entities and business associates that participated in the agency's 2016–2017 HIPAA audits. The online survey will measure the effect of the audits on covered entities' and business associates' subsequent actions to comply with the HIPAA rules. The surveys will also provide organizations with an opportunity to offer feedback on the audits and their features, such as the helpfulness of HHS' guidance materials and communications, the utility of the online submission portal, whether the audit helped improve entity compliance, and the entities' responses to the audit-report findings and recommendations.

The HIPAA audit program's return has caught some experienced HIPAA experts by surprise. They believe that HHS OCR has violated the HITECH Act because it did not conduct annual periodic audits of HIPAA Privacy and Security Rule compliance by covered entities and business associates. Additionally, they claim that HHS OCR did not submit findings of those audits to the Senate and House committees, as required by law.



In the know

The OCR is responsible for enforcing civil rights laws, including those related to healthcare privacy and security. It ensures compliance with HIPAA regulations by enforcing HIPAA regulations and conducting regular HIPAA audits. These audits are designed to assess the efforts of covered entities and business associates in safeguarding protected health information (PHI). OCR HIPAA audits may involve both on-site and remote assessments. 

HIPAA audits help identify weaknesses and areas of non-compliance within healthcare organizations' security and privacy practices. By pinpointing vulnerabilities, audits enable entities to rectify deficiencies, thereby enhancing data protection and reducing the risk of breaches. Secondly, audits serve as a deterrent, signaling to healthcare entities the seriousness of maintaining HIPAA compliance. Through enforcement actions and penalties resulting from audit findings, the OCR emphasizes the legal obligations surrounding PHI protection. 


What was said? 

According to BankInfoSecurity, ”86% of covered entities (CEs) and 83% of business associates (BAs) failed the risk analysis audit, and 94% of CEs and 88% of BAs failed the risk management audit.”

“For 15 years, HHS has violated the HITECH Act because it has not conducted annual periodic audits of HIPAA Privacy and Security Rule compliance by covered entities and business associates or submitted findings of those audits to the Senate and House committees named in the law," says regulatory attorney Paul Hales of the Hales Law Group. This has led to an increase in HIPAA violations and breaches.

OCR director Melanie Fontes Rainer informed BankInfoSecurity that "OCR intends to initiate audits of HIPAA-regulated entities later this year. These audits can assist regulated entities in improving their HIPAA compliance and their protection of health information." This is after a seven-year hiatus, with the last random HIPAA compliant audit being conducted in 2016/2017 and its results published in 2020. 

See alsoHIPAA Compliant Email: The Definitive Guide


Why it matters

The OCR is responsible for enforcing HIPAA; however, over the past seven years, they have not conducted HIPAA audits to ensure that covered entities and their business associates are complying with HIPAA regulations. This has led to patient privacy being at a high risk of being breached due to covered entities and their business associates thinking that HIPAA compliance is “less urgent than other day-to-day matters," according to Hales. 


The big picture

With the OCR planning on reviving its random HIPAA audits, compliance with HIPAA may increase, resulting in a decreased risk of data breaches. Covered entities will be held accountable if they are found guilty of not having measures in place to safeguard the PHI of its patients.  



How are HIPAA audits conducted?

The process of conducting HIPAA audits typically involves the following steps:

  • Selection
  • Notification
  • Pre-audit preparation
  • Audit conduct
  • Findings and remediation
  • Follow-up

Go deeper: How to conduct a HIPAA compliance audit


How often should HIPAA audits be conducted?

The law does not require HIPAA audits to be performed at a set schedule or frequency. However, the OCR must conduct periodic audits as part of its enforcement efforts to ensure ongoing compliance with HIPAA regulations. The frequency of HIPAA audits can vary depending on factors such as available resources, emerging trends or issues in healthcare data privacy and security, and enforcement priorities. 


What are the consequences of non-compliance with HIPAA regulations?

The consequences of HIPAA violations can differ based on the severity and context of the breach. Consequences include civil fines that can vary from $100 to $50,000 per violation, reaching a maximum yearly penalty of $1.5 million for repeated violations of the same rule. In cases of intentional disregard, penalties can escalate, potentially leading to criminal charges. Such charges could incur fines of up to $250,000 and imprisonment for a maximum of 10 years for severe infractions.

Go deeperWhat are the penalties for HIPAA violations?

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.