OCR HIPAA Audit Program

The HITECH Act requires the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) to conduct periodic audits of HIPAA covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The first round of audits was conducted in 2011-2012, and the second round was conducted in 2016. 

In 2024, OCR published a notice in the Federal Register seeking feedback from entities audited in the second phase of audits to gather information that could be used to improve OCR’s future audit programs. This request for information may indicate that a third round of audits is on its way. This article covers the history of the OCR HIPAA Audit Program and what a third round of audits might look like.

OCR HIPAA Audit Program: Phase 1

In 2011 and 2012, OCR implemented a pilot HIPAA audit program (Phase 1 Audits). The scope of the program was relatively small. OCR selected 115 covered entities to be audited. OCR then evaluated the effectiveness of the controls and processes implemented by these covered entities. 

The audits were completed in December of 2012. Subsequently, OCR evaluated the effectiveness of the pilot HIPAA audit program. OCR used the information provided by auditees to determine what types of technical assistance should be developed in the future, and what types of corrective action are most effective.

OCR HIPAA Audit Program: Phase 2

OCR launched Phase 2 of the HIPAA audit program in 2016. Both covered entities and business associates were audited during the Phase 2 HIPAA audit program. The purpose of the Phase 2 HIPAA audit program audit was to enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to PHI.

The Phase 2 audit protocols were announced in advance of the audits, and the auditees (which included 166 covered entities and 41 business associates) were notified ahead of time that they would be audited. After the Phase 2 audits were completed, OCR published an Audit Report in 2020.

OCR summarized the results of the Phase 2 HIPAA Audit Program as follows:

  1. Most covered entities met the timeliness requirements for providing breach notification to individuals.
  2. Most covered entities that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website.
  3. Most covered entities failed to provide all of the required content for a Notice of Privacy Practices.
  4. Most covered entities failed to provide all of the required content for breach notification to individuals.
  5. Most covered entities failed to properly implement the individual right of access requirements, such as timely action within 30 days and charging a reasonable cost-based fee.
  6. Most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and management.

OCR HIPAA Audit Program: The 2024 Request for Information

In February of 2024, OCR announced that it would be sending a 39-question online survey to the Phase 2 auditees. OCR indicated that the survey would be used to: 

  1. Measure the effect of the 2016-2017 Phase 2 HIPAA Audits on covered entities’ and business associates’ subsequent actions to comply with the HIPAA Rules.
  2. Provide entities with an opportunity to give feedback on the Audit and its features, such as the helpfulness of HHS’ guidance materials and communications, the utility of the audit online submission portal, whether the Phase 2 audit helped improve entity compliance, and the entities’ responses to the Audit-report findings and recommendations.
  3. Provide OCR with information on the burden imposed on entities to collect audit-related documents and to respond to audit-related requests.
  4. Seek feedback on the effect of the Phase 2 HIPAA audit program on the entities’ day-to-day business operations.

In its February 2024 announcement, OCR also indicated that “The information, opinions, and comments collected using the online survey will be used to improve future OCR HIPAA Audits.”

OCR HIPAA Audit Program: What Might a Phase 3 Audit Look Like?

One discovery from the Phase 2 audit program was that “Most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.”

In 2023, OCR launched a new enforcement initiative focused on compliance with the HIPAA security rule’s risk analysis provision. Since then, OCR has conducted webinars and provided technical assistance to HIPAA-covered entities on this topic.

In December of 2023, OCR issued a Healthcare Sector Cybersecurity Strategy concept paper.  In the concept paper, OCR noted that it would begin an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, to include new cybersecurity requirements.

While the update has not yet begun, and while there has been no formal announcement of a Phase 3 audit, there is a good chance, given the recent flurry of activity and focus on cybersecurity safety and on the risk analysis rule in particular, that a Phase 3 audit would prominently feature questions seeking to gauge covered entities’ and business associates’ Security Rule compliance, including compliance with the risk analysis rule. 

How Can Compliancy Group’s Solution Help with Future Audits?

Compliancy Group’s healthcare compliance tracking solution, The Guard, contains a series of tools that healthcare organizations can use to monitor their HIPAA compliance. These tools include incident management, vendor management, template policies, a series of LMS training videos, and a series of program controls (actions to take in accordance with HIPAA regulations). 

Organizations can use these tools to begin and maintain a compliance initiative and to track their compliance progress in real-time. The compliance tools offered through the Guard allow users to provide effective responses to future audit questions and initiatives.