The U.S. Department of Health and Human Services (HHS) has resumed its HIPAA compliance audits after nearly a decade. These audits are focused on healthcare organizations and business associates, specifically targeting provisions in the HIPAA security rule related to cybersecurity. The aim is to assess how well covered entities are preventing ransomware and hacking incidents, which have been increasing in recent years. The audits started in December 2024 and will review 50 organizations.
In the past four years, health data breaches caused by hacking have surged, with ransomware attacks increasing by 45%. In 2024 alone, 81% of major breaches involved hacking incidents. Tim Noonan, deputy director of HHS’s Office for Civil Rights (OCR), stated that the audits will focus on areas that help mitigate these threats, though specific provisions being examined were not disclosed. The audits come at a time when the federal government is grappling with a rise in cyberattacks targeting the healthcare sector.
HHS OCR’s last audit program, conducted in 2016-2017, reviewed 166 covered entities and 41 business associates.
The findings from those audits highlighted weaknesses, such as failing to conduct security risk analyses and provide patient access to records. In response to a report from the Office of the Inspector General, HHS OCR resumed the audits to address these gaps and improve compliance processes.
The results from these audits are expected to help identify best practices and risks not found through enforcement activities.
Alongside the audits, HHS OCR is also working on updating the HIPAA security rule. The agency recently reviewed over 4,700 public comments on its proposed update, which aims to address gaps in data security and modernize the rule. With a focus on improving healthcare data protection, HHS OCR plans to use these comments to shape future regulatory actions, including potential revisions to the security rule to better combat emerging threats.
Reference:
