Pramote Lertnitivanit/istock via
How to prepare for OCR's HIPAA audit program
After a long hiatus, OCR's HIPAA audit program is returning, this time with a focus on HIPAA Security Rule provisions surrounding hacking and ransomware.
The HHS Office for Civil Rights resumed its HIPAA audit program in December 2024 after a seven-year hiatus. During the 2024-2025 audits, OCR plans to review the HIPAA compliance efforts of 50 covered entities and business associates, with a marked focus on the HIPAA Security Rule provisions most relevant to hacking and ransomware attacks.
The chosen entities will have to organize documentation and gather the necessary materials for OCR to assess the auditee's compliance with the HIPAA rules. Even if a covered entity or business associate was not chosen for this round of audits, preparing for future iterations of the HIPAA audit program can help entities bolster their security practices and identify compliance gaps.
HIPAA audit program history
The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) requires HHS to conduct periodic audits of covered entities and business associates to assess compliance with the HIPAA Security, Privacy and Breach Notification rules.
"The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches," the HHS website states.
"OCR will broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges."
In 2012, OCR conducted phase one of its audit program. The pilot audit program consisted of on-site audits of covered entities' documentation and compliance with the HIPAA rules.
OCR also developed an audit protocol to guide its audit process. The protocol includes sections for every provision in HIPAA and describes key compliance activities, questions entities can apply when reviewing their compliance and measurable performance criteria.
The 2016-2017 audits, known as phase two, included 166 covered entities and 41 business associates. The findings of these audits, published by OCR through an industry report, revealed that the audited covered entities were generally in compliance with just two of the seven areas audited -- timeliness of breach notification and prominent posting of a notice of privacy practices on their websites.
However, the audits revealed gaps in several other areas, including failure to provide the required content for a notice of privacy practices and to implement individual right of access requirements.
After the 2016-2017 batch of audits, the audit program was dormant until December 2024. Prior to the reemergence of the audits, the HIPAA audit program was the subject of a November 2024 HHS Office of Inspector General (OIG) report. OIG recommended that OCR expand its audit program and define metrics for defining the effectiveness of the audits.
OCR concurred with most of OIG's recommendations but noted that it would need more funding and staffing resources to audit every provision within HIPAA. As such, OCR made it clear that it would focus future audits on specific provisions chosen based on industry trends and relevant risks to protected health information.
In March 2024, HHS Secretary Robert F. Kennedy, Jr. announced sweeping cuts to the HHS workforce. Paired with previous offers of early retirement, the restructuring resulted in downsizing from 82,000 to 62,000 full-time employees across HHS. Given OCR's already lean workforce, it is unclear whether these cuts will impact OCR's audit program capabilities.
Nonetheless, covered entities that prepare for potential audits can ultimately improve HIPAA compliance and further safeguard patient information.
How security, privacy pros bolster compliance in advance of audits
Although the audit program has been inactive for several years, healthcare privacy and security leaders are taking lessons learned from the last round of audits into the future. On Mar. 27, 2025, panelists at the Virtual 42nd National HIPAA Summit gathered to discuss how to respond to OCR's HIPAA audit program.
"It's not if but when they're coming. That was the approach that we took," Mercy Del Rey, chief privacy officer at Baptist Health, said during the session, referencing her organization's efforts when preparing for phase two of the audits in 2016-2017.
"We started preparing, and during that preparation process, we found some things that we were happy we found because they presented opportunities for improvement for us."
Del Rey recommended creating a regulatory checklist to remind teams to check certain compliance elements regularly, such as ensuring the link to the organization's notice of privacy practices is working and monitoring right of access policies.
April Carlson, senior manager of information security at Mayo Clinic, said during the panel session that her organization prepared for regulator audits by doing its own internal audits across all its care sites, which helped strengthen security and compliance in advance of OCR's audits.
When the time came for a real OCR audit, Carlson said that her team was prepared and ready to answer OCR's questions.
"I felt like we provided all the things they asked for, and then we were able to use some of their findings to make some very positive changes for our patients," Carlson said.
The panelists recommended running tabletop exercises, monitoring business associate relationships to ensure compliance, centralizing communication with OCR and annotating the audit protocol to link specific policies to protocol requirements.
While the audit process this time around will likely not be exactly like the last round, the panelists cautioned that going through the process of collecting documentation and pulling together the required materials will put your organization in a better position to respond if an OCR audit comes your way.
"Whether or not the audits continue, it just takes one breach where you may be required to produce all of this information anyway," Carlson said. "It's in the best interest of the patients to be doing this correctly, both on the privacy and the security side."
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
