Healthcare
,
HIPAA/HITECH
,
Industry Specific
Audits Focus on HIPAA Security Rule Provisions Related to Ransomware, Hacking
The U.S. Department of Health and Human Services has quietly resumed HIPAA compliance audits of covered entities and business associates for the first time in nearly a decade.
See Also: Using the Netskope HIPAA Mapping Guide
With the surge in ransomware and other hacking incidents being reported to federal regulators in recent years, the focus of the audits are on provisions of HIPAA most relevant to these attacks, said Tim Noonan, HHS Office for Civil Rights deputy director of health information privacy, data and cybersecurity during a prerecorded virtual HIPAA summit that aired on Tuesday.
The 2024-2025 audits – which kicked off in late December – will include 50 covered healthcare organizations and business associates, he said.
Auditors are focusing on compliance with certain provisions of the HIPAA security rule that correlate with preventing ransomware and other hacking incidents that follow major health data breach trends, he said. From 2020 through 2024, hacking incidents have increased 30% and ransomware attacks rose 45% in major health data breaches reported to the agency, Noonan said.
In 2024, 81% of major breaches affecting 500 or more individuals reported to HHS OCR involved hacking, he said.
Noonan did not elaborate on which provisions of the HIPAA security rule are being examined, nor did he describe how the organizations are being chosen for audits.
HHS OCR did not immediately respond to Information Security Media Group’s request for additional details about the compliance audits, including timeline and the specific HIPAA security rule provisions being examined.
HHS OCR last year said it planned to resurrect the audits, which were mandated under the HITECH Act of 2009 but were last conducted in 2016-2017 (see: How HHS OCR is Boosting HIPAA Enforcement: Here Come Audits).
HHS in February 2024 published in the Federal Register a notice saying that OCR would conduct a survey of HIPAA-regulated organizations that were subjects of the 2016-2017 compliance audits in order to better assess the effectiveness of the program and where improvements should be made (see: They’re Back: HHS OCR Plans to Resurrect Random HIPAA Audits).
Back in November, the HHS Office of Inspector General issued a report recommending that HHS OCR resume its dormant HIPAA audit program and also document and implement standards and guidance for ensuring that deficiencies identified during HIPAA audits are corrected in a timely manner (see: Watchdog Report: HHS OCR Should Beef Up HIPAA Audit Program).
At that time, HHS OCR issued a response to the HHS OIG report saying that stretched resources at the agency were a factor in not relaunching the audit program sooner. “HHS OCR has had nearly flat appropriations for 20 years, even with OCR’s continued requests for additional appropriations and resources, which has resulted in unsustainable workloads,” the agency wrote.
HHS OCR on a webpage about the 2024-2025 audits said the new batch of audits will give the agency “an opportunity to examine mechanisms for compliance, identify promising practices for protecting the privacy and security of health information, and discover risks and vulnerabilities that may not have been revealed by OCR’s enforcement activities.”
HHS OCR will publish an industry report summarizing its findings after the 2024-2025 HIPAA audits are completed.
After HHS OCR completed its 2016-2017 audits – which reviewed the compliance of 166 covered firms and 41 business associates – it took the agency until December 2020 to finally issue a report on its findings (see: At Last, Results of HIPAA Compliance Audit Program Revealed).
The findings from those audits – which included the failure of many organizations to conduct a security risk analysis and the failure to give patients access to their records – are still relevant weaknesses spotlighted by HHS OCR in its HIPAA breach and complaint investigations.
HIPAA Security Rule Update
As for other regulatory work underway at HHS OCR, Noonan said the agency is beginning to read the 4,745 public comments it received on its proposed update to the HIPAA security rule, which was published on Jan. 6 in the final days of the Biden administration (see: What’s in HHS’ Proposed HIPAA Security Rule Overhaul).
HHS OCR collected public comment through March 7. “We read every single comment – and will organize the comments by category … to try to get a sense of the public response to the proposals,” he said.
Once those comments are reviewed, “we will work within HHS on what future actions we might take.”
The HIPAA security rule, which was first finalized in 2003, has not had a major update since then, aside from some changes in 2012 related to the HITECH Act which made business associates directly liable for HIPAA compliance.