On February 12, 2024, the U.S. Department of Health and Human Services (“HHS”) published a notice in the Federal Register regarding reinstatement of the Health Information Portability and Accountability Act of 1996 (“HIPAA”) Audit Program (“HIPAA Audit Program”), including assessing the impact of past audits and possibly preparing to utilize the previous audit process again.
HIPAA Audit Program – Background
Under the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act), passed in 2009, the HHS Office for Civil Rights (“OCR”, the specific office tasked with enforcing HIPAA) was required to undertake “periodic audits” of HIPAA covered entities and business associates, to determine those entities’ compliance with HIPAA. The program began in fits and starts, with a first round of audits in 2012 and a second round between 2016 and 2017.
During the 2016-2017 audit, OCR audited the policies and procedures adopted and employed by 166 covered entities and 41 business associates to determine their compliance with HIPAA’s Privacy, Security, and Breach Notification Rules. The 2016-2017 audit cycle concluded in December 2020, when OCR issued a report with its audit findings. Among other things, OCR determined that many entities’ HIPAA-required Notice of Privacy Practices did not include required language and that covered entities were not consistently providing individuals’ access to their protected health information as required under the Privacy Rule. After issuance of its 2020 report, the HIPAA Audit Program went dormant.
Planning for the Future
After over 3 years of silence on the HIPAA Audit front, the Federal Register notice published on February 12, 2024, states that OCR will be reviewing the 2016-2017 audit cycle in order to assess:
- The effect of the audit on covered entity and business associate compliance activities;
- Feedback from the audited entities regarding the helpfulness of HHS’ audit communications, online audit submission portal, and the December 2020 final report;
- The burden on audited entities posed by collecting documentation and compiling responses to the audit; and
- The impact of the HIPAA Audit program on the audited entities’ day-to-day operations.
The notice states that while the information will be used to review the 2016-2017 audit cycle, it will also be used to improve the HIPAA Audit process moving forward. Based on this, it seems clear that OCR plans to reignite the HIPAA Audit program in the future. The notice also provides contact information for interested individuals to comment on the proposed actions by April 12, 2024.