OCR Says HIPAA Audits Will Resume: OIG Makes Recommendations for Enhancement

Recognizing the increasing number of successful cyberattacks targeting health care organizations and their valuable patient data, the Office of the Inspector General (OIG) is calling for enhancements to the HIPAA audit program. In its response to OIG and as detailed below, the Office for Civil Rights’ (OCR) noted that HIPAA audits were expected to resume later this year, presumably meaning in the last few weeks of 2024 or early 2025. OCR last conducted HIPAA audits in 2016-2017, auditing 166 covered entities and 41 business associates. OCR released the findings of those audits in 2020.

In its report published in November 2024, OIG highlighted two primary findings:

Narrowly Scoped HIPAA Audit Program. OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess protections for electronic protected health information (ePHI) and demonstrate a reduction of risks within the health care sector.
Ineffective OCR Oversight. OCR oversight of the HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates.

In addressing these concerns, OIG made various recommendations for OCR to enhance its HIPAA audit program. OCR responded to the OIG findings in an August 2024 letter, which OIG published with its report. Here is a summary of OIG’s recommendations for actions by OCR and OCR’s respective responses.

Audit Physical and Technical Safeguards: Expand the scope of HIPAA audits to assess compliance with HIPAA Security Rule physical and technical safeguards.
- OCR agreed with this recommendation, stating that it will focus future audits on specific provisions based on a variety of factors, including industry trends and the most prevalent risks and vulnerabilities to PHI. Additionally, OCR indicated that future audits may include selected provisions from the HIPAA Security Rule, including physical or technical safeguards.
Ensure Deficiencies are Corrected: Document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner.
- OCR did not concur with this recommendation, stating (i) OCR does not have legal authority in all cases to require such injunctive relief; (ii) OCR does not have the staff or financial resources to pursue this against every audited entity; and (iii) this does not align with the purpose of the HIPAA audit program, where the goal is to provide technical assistance to audit participants where deficiencies are found.
Determine When a Compliance Review is Warranted: Define and document criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review.
- OCR agreed with this recommendation, stating it plans to initiate HIPAA audits “later this year” and would develop criteria identifying what factors it would consider in deciding whether to initiate a compliance review of an audited entity where identified compliance issues had not been corrected. Given that the end of the year is almost here, it is unclear how OCR would maintain that timeline at this point. Notwithstanding, covered entities and business associates should be aware that OCR plans to recommence HIPAA audits and take any necessary steps to ensure compliance with the HIPAA Rules.
Metrics to Monitor Effectiveness: Define metrics for monitoring the effectiveness of OCR’s HIPAA audits at improving audited entities’ protections over PHI and periodically review whether these metrics should be refined.
- OCR agreed with this recommendation and stated it will be surveying covered entities and business associates that previously participated in the audits. The survey responses will be used to track how audited entities updated their HIPAA compliance following the audit.

Enforcement Process

The OIG report included a summary and diagram of OCR’s enforcement process of potential HIPAA violations. In summary, OCR reviews complaints received through OCR’s complaint portal, events or incidents brought to OCR’s attention (e.g., by breach reports, media, referrals from other agencies, etc.), or patterns identified through received complaints. OCR must investigate all breach reports affecting 500+ individuals. OCR may commence an investigation if there is a serious compliance issue identified or for breaches affecting less than 500 individuals. If there is a possible criminal violation, OCR will refer the incident to the Department of Justice, who may perform a criminal investigation in addition to OCR’s civil investigation.

OCR will collect a variety of evidence to determine whether the entity was in compliance with the HIPAA Rules. HIPAA-regulated entities are legally required to cooperate with complaint investigations and compliance reviews. Where OCR finds indications of noncompliance due to willful neglect or determines that the nature and scope of the noncompliance warrants further enforcement action, OCR will pursue a resolution agreement involving a settlement payment and an obligation to complete a corrective action plan to address compliance issues. If OCR and a HIPAA-regulated entity cannot reach an agreement, or if there is a breach of the terms of such a resolution agreement, OCR may pursue formal enforcement, including a civil monetary penalty.

Key Takeaways

The key takeaway is that OCR is committed to recommencing HIPAA audits and the scope will be expanded from the previous audits.

In expectation of the resumption of these audits, covered entities and business associates should review their HIPAA compliance programs, including ensuring they have an up-to-date and comprehensive HIPAA security risk analysis, policies sufficient to meet the requirements of HIPAA Privacy, Security, and Breach Rules, HIPAA training for workforce members, and business associate agreements in place where required by HIPAA.

Covered entities should also ensure they have a Notice of Privacy Practices that contains the content required by HIPAA and is distributed in accordance with HIPAA’s requirements. For more information on this new report or legal considerations related to digital health or data privacy, contact Foley’s Telemedicine & Digital Health or Cybersecurity & Data Privacy teams.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.