The U.S. Department of Health and Human Services (HHS) recently updated its HIPAA enforcement website to announce the start of its 2024-25 audit program. HIPAA is enforced by HHS’ Office for Civil Rights (OCR). According to OCR, the 2024-25 HIPAA audits will review 50 covered entities’ and business associates’ (collectively called regulated entities) compliance with selected provisions of the HIPAA Security Rule most relevant to hacking and ransomware attacks. 

This is a significant compliance step for OCR, which has not utilized its HIPAA audit program since 2016-17 due to a lack of financial resources. HIPAA audits are primarily a compliance improvement activity; however, if an audit reveals a serious compliance issue, OCR may initiate a compliance review of the regulated entity to investigate.

• HHS has announced that its HIPAA audit program will resume. 
• Fifty covered entities and business associates will be selected for an audit. 
• The audits will focus on selected provisions of the HIPAA Security Rule most relevant to hacking and ransomware attacks.
• Although HIPAA audits are primarily a compliance improvement activity, HHS may investigate a regulated entity if an audit reveals a serious compliance issue.

HIPAA Enforcement Website >>

HIPAA Security Rule >>

HIPAA Audit Program >>