April 10, 2025 The HIPAA Audit program is back in business. Since the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Office for Civil Rights (OCR) has been able to audit practices, ensuring they follow HIPAA standards. While the revival of the audit program was announced last May, new information was confirmed at the latest HIPAA Summit, with 50 Covered Entities and Business Associates being selected to be audited. This program was last active from 2016-2017, which highlighted that, unfortunately, noncompliance with HIPAA is far too common in regulated entities. In fact, only 14% of Covered Entities, like medical practices, could produce a compliant Security Risk Analysis (SRA). The healthcare industry is entering a new era of HIPAA compliance in the wake of the largest ever healthcare data breach. New HIPAA legislation is being reviewed and the Office of the Inspector General (OIG) is recommending stricter audit processes. With millions in fines already imposed in 2025, proactive preparation is now critical for healthcare providers and their business partners. What is the Audit Program? The audit program was first introduced when the HITECH Act was enacted in 2009. While the majority of the investigations the OCR conducts are reactive, resulting after a patient complaint or a breach, the audit program is random. The OCR will thoroughly review the selected organization’s documentation and current processes as the audit program resumes. A compliant HIPAA program entails much more than training; it also requires comprehensive, continuous protocols to ensure patient data is being protected. The basis of a compliant practice is being able to present an SRA. As stated earlier, previous audit programs spotlighted the shortcomings of regulated entities completing this. The SRA is a thorough assessment of your practice. This includes reviewing the safeguards your practice currently has in place. Technical, physical, and administrative safeguards all play a role in securing Protected Health Information (PHI). This would include a deep dive into the technology your practice uses, the physical protections your practice might have (like alarms), and the administrative policies your practice follows. Completing this analysis will allow your practice to identify vulnerabilities before a breach occurs. Proactive compliance, addressing issues before they affect patients, is key to a successful practice. In addition to providing an SRA, practices must also prove compliance with other pillars of HIPAA compliance, such as the Right of Access (or sending requested medical records to practices in a timely manner), the Breach Notification Rule, the Privacy Rule, and more. After the rise in ransomware attacks in recent years, with a nearly 300% increase in ransomware-related breaches, regulated entities’ cybersecurity practices will likely be scrutinized, ensuring that those audited are aware of their technology responsibilities. What can I do? Your practice must be aware of HIPAA and implement the appropriate safeguards to be prepared for the possibility of an audit. While this can be a daunting task, it is imperative for your practice to follow HIPAA compliance before a situation occurs. Thankfully, smart software can streamline and simplify HIPAA for your practice, providing a roadmap to compliance. With the right solution, your practice can see exactly what the OCR requires, which will be asked for if ever audited. To learn more about becoming audit-ready, schedule an educational consultation with our team of experts.
