OCR Gearing Up for New Round of HIPAA Audits in 2024

By Art Gross, President and CEO, HIPAA Secure Now!
LinkedIn: Art Gross
LinkedIn: HIPAA Secure Now!
Read other articles by this author

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is preparing to launch a new round of audits in 2024 to assess compliance with the HIPAA Security Rule across the healthcare sector. After long delays, HIPAA-regulated entities can expect increased scrutiny on their security practices and risk management programs.

Why New HIPAA Audits Are Critically Needed

Under the HITECH Act, HHS is required to conduct periodic audits of covered entities and business associates to ensure compliance with the HIPAA.

Additionally, the number of large healthcare data breaches has skyrocketed in recent years, more than doubling from 358 breaches exposing 5.1 million records in 2017 to 725 breaches exposing over 133 million records in 2023. This alarming trend strongly suggests that many organizations are not fully compliant with HIPAA’s safeguards to protect patient data.

According to OCR Director Melanie Fontes Rainer, risk analysis failures are commonly found during breach investigations, especially at smaller healthcare providers and plans. Organizations are failing to thoroughly assess risks to their electronic protected health information (ePHI), leaving vulnerabilities that criminal hackers are actively exploiting.

What to Expect in the 2024 HIPAA Audit Program

While details are still emerging, OCR has signaled that the new HIPAA audit program will have a sharp focus on compliance with the HIPAA Security Rule, including:

Risk Analysis and Risk Management
Conducting a comprehensive, organization-wide risk analysis is required by the Security Rule to identify potential threats to ePHI. Auditors will scrutinize the risk analysis process and risk management programs.

Technical Safeguards
Encryption, multi-factor authentication, audit controls and other technical safeguards will likely be assessed to ensure ePHI is properly secured.

Policies and Procedures
Having formal, documented security policies and procedures in place as required by the Security Rule.

How to Prepare for HIPAA Audits

With HIPAA enforcement audits on the horizon, covered entities big and small, as well as Business Associates, must prioritize the following:

Conduct a Thorough Risk Analysis
Use a structured process to identify all potential risks to ePHI across the organization.

Implement a Risk Management Plan
Document a clear plan to manage and mitigate identified risks through proper administrative, physical and technical safeguards.

Review Security Policies and Procedures
Ensure you have comprehensive, up-to-date security policies covering areas like access controls, incident response, auditing and more.

Provide Ongoing Security Training
Maintain a workforce training program on cybersecurity best practices.

The writing is on the wall – HIPAA enforcement through audits is ramping up in 2024. By prioritizing risk management and technical safeguards now, healthcare organizations can get ahead of the curve on compliance. The costs of an audit finding or breach are far higher than being proactive.

This article was originally published on HIPAA Secure Now! and is republished here with permission.