1 minute read
The U.S. Department of Health and Human Services (HHS) has updated its HIPAA enforcement website to announce the start of the 2024-25 HIPAA audit program. The program has been dormant since 2016-17 due to funding issues.
The 2024-25 HIPAA audits will review 50 covered entities, focusing on compliance with key Security Rule provisions to combat hacking and ransomware. HIPAA audits focus on compliance improvement, but serious issues may lead to a compliance review.
The HIPAA Security Rule mandates the protection of electronic protected health information (ePHI) by requiring covered entities to assess risks and implement safeguards to ensure confidentiality, integrity, and availability.
HHS must regularly audit entities for HIPAA compliance. The last audits were in 2016-17, covering 166 entities and 41 associates.
A November 25, 2024, report by HHS’ Office of Inspector General (OIG) found the HIPAA audit program ineffective in boosting cybersecurity at regulated entities. OIG suggested expanding their audit scope to better assess compliance with Security Rule safeguards.
In December 2024, it was announced that HIPAA audits would resume, focusing on cybersecurity-related compliance. An industry report will summarize the 2024-25 HIPAA audits once they are completed.
Employers with health plans accessing ePHI should regularly check HIPAA Security Rule compliance, ensuring their risk analysis is current and safeguards are in place. Download the bulletin for more details.