Healthcare cybersecurity has never been under more scrutiny – or more in need of improvement. The volume of data breaches has more than doubled since 2017, with more than $6 million in HIPAA fines from the Office for Civil Rights (OCR) in 2024 alone – all of which help explain why the OCR has announced the return of its HIPAA Audit program.
But this presents covered entities with a challenge. It has been four years since the program’s last phase concluded, and many organizations are not prepared for the process – and will want to know what exactly the HIPAA Audit program now requires of them.
This article answers that question, providing everything you need to navigate the process and ensure compliance in the coming years.
What is the OCR HIPAA Audit Program?
The Office for Civil Rights (OCR) is a division of Health and Human Services with the responsibility to ensure industry compliance with an individual’s rights to Privacy, safeguards to electronic PHI and to investigate an organization’s diligence when breaches occur. Part of the OCR’s focus is also to develop audit rules in its activities ensuring the industry is adopting compliance efforts, reducing risk of breaches and improving health care. This is called the HIPAA Audit Program, and leverages the instructions, called the Audit Protocol, to test compliance.
HIPAA Compliance Audits: A Brief History
Phase 1 of the HIPAA Audit Program officially ended and Phase 2 of the HIPAA Audit program was announced on March 21, 2016 by Health and Human Services. In April 2016 they announced the updated HIPAA Audit Protocol. To clarify, the HIPAA law itself has not changed since the Omnibus update in 2013, but the government’s auditing of compliance has been updated and expanded.
Here is what our experts wrote at the time:
“The HIPAA Audit Protocol is something the Healthcare Information Technology compliance and audit communities have been asking for a long time, which is more guidance on HIPAA regulations. In addition to NIST-based risk analysis methodologies, this new set of protocols (instructions) is the most comprehensive guidance we have for HIPAA security (safeguards around electronically protected health information, or PHI), privacy (rights and restrictions to PHI) and breach notification requirements (what to do when a breach of PHI happens).”
But so much has changed since then – and that brings us to the latest phase of the program.
What is the Current Status of the HIPAA Audit Program?
In February 2022, the OCR made an official request for feedback on the second phase of the HIPAA Audit program. All covered entities that participated in compliance audits between 2016-17 were asked to comment on the following:
- The efficacy of the audit program
- The usefulness of HHS guidance and communications
- The user experience of the audit’s online submission portal
- The impact of the audit on their compliance programs
This tells us two things: first, the OCR is ramping up to announce a third phase of the compliance audit program in the coming years, and second, it will be measurably different from the last program – which means the tools you used previously may no longer cut it.
The Current State of HIPAA Audit Checklists and Tools
Given the OCR’s clear intention to reintroduce the HIPAA Audit Protocol in the coming years, questions are already being raised about the appropriate pre-emptive measures organizations can take. It is clear that checklists, spreadsheets, the OCR’s SRA tool, HITRUST and most commercial compliance software companies will not meet the requirements of future HIPAA Audit Protocols.
That is why a growing number of covered entities are investing in new solutions that ensure they are proactive about compliance – and prepared for the OCR’s next announcement.
To learn more about how your organization can simplify and automate HIPAA Security, Privacy and Breach Notification Assessments, Mock-Audits and Risk Analysis in compliance with the HIPAA Audit Protocol, HITECH and NIST-based methodologies, contact us.
