OCR Conducts Third Phase of HIPAA Compliance Audits

March 30, 2025HIPAA News0

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced the conducting of the third phase of its HIPAA compliance audits. The HIPAA compliance audits will cover 50 healthcare entities and business associates.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 mandates OCR to perform regular audits of HIPAA-covered entities to determine their compliance with the HIPAA Security, Privacy, and Breach Notification laws. The first phase of HIPAA audits started in 2012 and involved 115 audits, consisting of 61 healthcare providers, 47 health plans, and 7 healthcare clearinghouses. The second phase in 2016/2017 included 207 desk audits, consisting of 166 covered entities and 41 business associates. The two phases of compliance audits saw widespread HIPAA non-compliance, as most entities covered in the second phase did not achieve HIPAA compliance.

The third phase of HIPAA audits is considerably delayed because of insufficient resources. Despite OCR’s increased workload, its funding remained the same. All data breaches are covered by OCR inspection if more than 500 individuals are affected. From 2010 to 2011, OCR received 200 large data breach reports each year from HIPAA-covered entities. In 2020, data breach reports increased more than thrice. In the past 4 years, over 700 large data breaches were reported to OCR each year. Moreover, the number of complaints submitted to OCR regarding potential HIPAA violations increased by 306% from 2010 to 2023.

At the beginning of 2024, OCR asked for feedback on how to improve its HIPAA audit program. In the summer of 2024, although OCR faced financial difficulties, OCR Director Melanie Fontes-Rainer stated that the HIPAA audit program would start before 2024 ended. Deputy director Tim Noonan of OCR’s health information privacy stated that the third phase of compliance audits began in December 2024. This phase of audits involves the assessment of compliance with some provisions of the HIPAA Security Rule associated with hacking and ransomware attack prevention. Noonan said that from 2020 to 2024, hacking incidents rose by 30%, and ransomware attacks on the healthcare industry increased by 45%. In 2024, 81% of all data breach reports submitted to OCR were caused by hacking.

The HHS Office of Inspector General reviewed the 2016/2017 audit program and determined that they had a narrow scope. Only 8 out of the 180 HIPAA Rule requirements and two administrative safeguards of the HIPAA Security Rule were checked for compliance. For the third phase of audits, it is uncertain what HIPAA requirements are being reviewed. These Audits will enable OCR to evaluate mechanisms for compliance, discover promising health data privacy protection practices, and identify risks and vulnerabilities not observed by OCR’s enforcement activities.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.