The Value of an Effective HIPAA Compliance Program Amid OCR HIPAA Audits
Authors
John F. Howard , Paul F. Schmeltzer
In 2024, the U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) Director Melanie Fontes Rainer announced that OCR will resume auditing Health Information Portability and Accountability Act (“HIPAA”) covered entities and business associates. These audits are part of the ongoing effort to ensure compliance with HIPAA, particularly in light of the growing number of cyberattacks and data breaches in the healthcare sector. The HIPAA audit program, initiated under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, mandates periodic audits, but this will mark the first round of such audits since 2017.
Key Drivers of the Renewed Audit Program
One of the primary reasons behind the revival of the HIPAA audit program is the alarming increase in data breaches, especially those caused by hacking and ransomware. OCR reported in March 2024 that there has been a 256% increase in large data breaches involving hacking and a 264% increase in ransomware attacks over the past five years. The healthcare sector has become a prime target for cybercriminals, and numerous high-profile breaches have occurred recently, underscoring the urgent need for more robust compliance with HIPAA.
OCR has made it clear that many of these breaches can be attributed to inadequate compliance with the HIPAA Security Rule. Recent settlement agreements involving covered entities and business associates affected by ransomware attacks shed light on the specific compliance failures that OCR has identified. These include:
- Failure to conduct accurate and thorough risk assessments: Many entities have not performed accurate or comprehensive security risk analyses, leaving them vulnerable to known risks.
- Insufficient monitoring of information systems: OCR has pointed out the lack of policies and procedures required under the Security Rule to log and monitor information systems for suspicious activity.
- Inadequate safeguards to mitigate risks: Even when entities are aware of the risks posed by cyberattacks, many fail to implement sufficient measures to protect electronic protected health information (ePHI).
- Overall noncompliance with the Security Rule: OCR has found a general lack of adherence to the requirements of the Security Rule, particularly regarding policies, procedures, and employee training.
The settlement agreements have carried along with them financial settlements totaling hundreds of thousands of dollars and required each entity to implement corrective actions, such as:
- Conduct a comprehensive and thorough Security Risk Analysis and develop an enterprise-wide Risk Management Plan;
- Review, develop, and revise all Privacy and Security Rule policies and procedures;
- Develop and implement an effective workforce training program on all such policies and procedures; and
- Review all vendor and third-party provider relationships to identify business associates and ensure all appropriate agreements are in place.
Financial Penalties and Corrective Actions
As a result of these compliance gaps, entities that have settled with OCR have faced significant financial penalties, often amounting to hundreds of thousands of dollars. In addition to the fines, these entities have been required to take corrective actions such as conducting a comprehensive security risk analysis and developing a robust, enterprise-wide risk management plan, reviewing and updating all policies and procedures related to the Privacy and Security Rules, implementing an effective training program for all employees, ensuring they understand and follow updated policies and procedures, and evaluating relationships with vendors and third-party providers to identify business associates and ensure proper business associate agreements (BAAs) are in place.
Increased Scrutiny in Breach Investigations
OCR’s focus on compliance with the Security Rule extends into all of its breach investigations. Entities that experience a reportable breach must now provide detailed documentation demonstrating their compliance with the Security Rule. Policies and procedures alone are no longer sufficient to prove compliance. Proof of compliance could include interviews with workforce members to assess their knowledge of HIPAA policies, the review of vendor and third-party provider agreements, documentation and review of risk assessments and risk management plans, proof of security measures and technical safeguards implemented to protect ePHI, and other types of detailed documentation to demonstrate compliance.
Strengthening Your HIPAA Compliance Program
With the rising number of cyber threats, it is important for all HIPAA-covered entities and business associates to proactively review, develop, implement, and strengthen their compliance programs. This process should include a thorough evaluation of all applicable policies and procedures to ensure they align with the latest Privacy and Security Rule requirements. Gaps in compliance must be identified and addressed.
Additionally, all employees must be adequately trained on HIPAA requirements and on the updated policies and procedures. Regular internal evaluations should be conducted to ensure the compliance program is functioning as intended. This proactive approach can help reduce the risk of data breaches and ensure compliance with OCR’s increasingly stringent expectations.
In light of OCR’s renewed focus on audits and breach investigations, now is the time to prioritize HIPAA compliance and safeguard your organization from the costly consequences of non-compliance.
This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.