By Rachel Klugman Seeger, MPA, MA
After a seven-year pause, OCR quietly announced it is initiating a third phase of its HIPAA audit program, focusing on a review of 50 covered entities’ and business associates’ compliance with those provisions of the HIPAA Security Rule most relevant to hacking and ransomware attacks.
The significant rise in cybersecurity incidents affecting healthcare organizations has affected millions of consumers across the country and caused a corresponding spike in reports of large breaches to OCR. The 2024-2025 HIPAA Audits will give OCR an opportunity to examine the state of compliance with the HIPAA Security Rule, identify best practices for safeguarding the privacy and security of health information, and identify risks and vulnerabilities that may not have been revealed by OCR’s enforcement activities.
While we wait for OCR to conduct these audits and publish a corresponding industry report summarizing their findings, there is no time like the present for HIPAA covered entities and their business associates to improve their cyber posture and bolster their overall compliance with the Security Rule by conducting their own internal HIPAA audits. The following steps can work for organizations of all sizes:
- Download a copy of OCR’s 2018 audit protocol. OCR is incredibly transparent with their enforcement work and published an audit protocol in 2018 that can serve as an excellent roadmap for initiating an internal audit. The protocol includes sections for every provision of the HIPAA Rules, describes the performance criteria expected of covered entities and business associates, and includes sample questions that an auditor might ask.
- Review OCR’s Cybersecurity Newsletters and Security Webinars: OCR regularly posts cybersecurity newsletters on a variety of topics with useful best practices for protecting your organization from hacking and ransomware attacks. Of note is the October 2024 OCR Cybersecurity Newsletter titled, Social Engineering: Searching for Your Weakest Link, which reminds us that educating workforce members is essential when it comes to an individual’s ability to identify and potentially halt social engineering attacks before they start. OCR’s 2023 webinar, How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks, illustrates how the Security Rule can help HIPAA regulated entities defend against cyber-attacks, reviewing examples of real world cyber-attack trends from OCR breach reports and investigations, and explores how implementation of appropriate HIPAA Security Rule safeguards can help detect and mitigate common cyberattacks.
- Conduct an IT Asset Inventory. An updated IT Asset Inventory can help confirm that new procurements are in line with policies and procedures, identify gaps in controls, and address technologies that are at or near the end of their lifecycle. NIST’s Special Publication 800-53A, Assessing Security and Privacy Controls in Information Systems and Organizations, is an excellent playbook that can be easily tailored to help organizations of all sizes conduct security and privacy control assessments that support risk management. This resource also includes information on building effective security and privacy assessment plans along with guidance on analyzing assessment results.
- Run a tabletop exercise. Invite key members of your organization to take part in a simulation of a real audit to improve your organizational readiness and identify areas for improvement. A mock audit focusing on key areas of compliance with the HIPAA Security Rule is a valuable tool for preparation and improvement, ensuring that your organization’s processes, documentation, and internal controls are up to date. You can find an updated HIPAA audit checklist in the Version 3.5 HIPAA Security Risk Assessment Tool, jointly produced by the HHS Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ONC) and OCR in 2023. The Version 3.5 User Guide highlights new enhancements and improvements, including references to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, the Healthcare and Public Health (HPH) Cybersecurity Performance Goal (CPG), and new content on mitigating organizational threats and vulnerabilities as well as cybersecurity supply chain risks.
- Ensure Deficiencies are Corrected. Finally, ensure that any areas of concern uncovered in your internal audit processes are corrected in a timely manner and document, document, document.
While OCR’s 2024-2025 HIPAA Audits are likely to pass over most organizations, an ounce of prevention is worth a pound of cure, as the old Ben Franklin adage goes. Documenting and updating your organization’s cybersecurity readiness and overall compliance with the Security Rule will put you in a better position should you be required to produce this information in response to a breach. It is in the best interest of your organization and the patients you serve to prevent costly penalties and/or corrective actions that might arise in the future.
Rachel Seeger is the former Senior Advisor for Communication at the HHS Office for Civil Rights, where she worked on the HIPAA Privacy, Security, and Breach Notification Rules and related issues including cybersecurity and telehealth. She is an experienced healthcare compliance professional. You may find her on LinkedIn.
