Healthcare
,
HIPAA/HITECH
,
Trade Particular
Audits Concentrate on HIPAA Safety Rule Provisions Associated to Ransomware, Hacking
The U.S. Division of Well being and Human Providers has quietly resumed HIPAA compliance audits of coated entities and enterprise associates for the primary time in practically a decade.
See Additionally: Utilizing the Netskope HIPAA Mapping Information
With the surge in ransomware and different hacking incidents being reported to federal regulators lately, the main focus of the audits are on provisions of HIPAA most related to those assaults, stated Tim Noonan, HHS Workplace for Civil Rights deputy director of well being info privateness, knowledge and cybersecurity throughout a prerecorded digital HIPAA summit that aired on Tuesday.
The 2024-2025 audits – which kicked off in late December – will embody 50 coated healthcare organizations and enterprise associates, he stated.
Auditors are specializing in compliance with sure provisions of the HIPAA safety rule that correlate with stopping ransomware and different hacking incidents that comply with main well being knowledge breach developments, he stated. From 2020 via 2024, hacking incidents have elevated 30% and ransomware assaults rose 45% in main well being knowledge breaches reported to the company, Noonan stated.
In 2024, 81% of main breaches affecting 500 or extra people reported to HHS OCR concerned hacking, he stated.
Noonan didn’t elaborate on which provisions of the HIPAA safety rule are being examined, nor did he describe how the organizations are being chosen for audits.
HHS OCR didn’t instantly reply to Data Safety Media Group’s request for added particulars in regards to the compliance audits, together with timeline and the particular HIPAA safety rule provisions being examined.
HHS OCR final 12 months stated it deliberate to resurrect the audits, which have been mandated beneath the HITECH Act of 2009 however have been final carried out in 2016-2017 (see: How HHS OCR is Boosting HIPAA Enforcement: Right here Come Audits).
HHS in February 2024 printed within the Federal Register a discover saying that OCR would conduct a survey of HIPAA-regulated organizations that have been topics of the 2016-2017 compliance audits with a view to higher assess the effectiveness of this system and the place enhancements needs to be made (see: They’re Again: HHS OCR Plans to Resurrect Random HIPAA Audits).
Again in November, the HHS Workplace of Inspector Common issued a report recommending that HHS OCR resume its dormant HIPAA audit program and likewise doc and implement requirements and steerage for making certain that deficiencies recognized throughout HIPAA audits are corrected in a well timed method (see: Watchdog Report: HHS OCR Ought to Beef Up HIPAA Audit Program).
At the moment, HHS OCR issued a response to the HHS OIG report saying that stretched sources on the company have been a consider not relaunching the audit program sooner. “HHS OCR has had practically flat appropriations for 20 years, even with OCR’s continued requests for added appropriations and sources, which has resulted in unsustainable workloads,” the company wrote.
HHS OCR on a webpage in regards to the 2024-2025 audits stated the brand new batch of audits will give the company “a chance to look at mechanisms for compliance, determine promising practices for safeguarding the privateness and safety of well being info, and uncover dangers and vulnerabilities that won’t have been revealed by OCR’s enforcement actions.”
HHS OCR will publish an trade report summarizing its findings after the 2024-2025 HIPAA audits are accomplished.
After HHS OCR accomplished its 2016-2017 audits – which reviewed the compliance of 166 coated companies and 41 enterprise associates – it took the company till December 2020 to lastly concern a report on its findings (see: At Final, Outcomes of HIPAA Compliance Audit Program Revealed).
The findings from these audits – which included the failure of many organizations to conduct a safety danger evaluation and the failure to present sufferers entry to their information – are nonetheless related weaknesses spotlighted by HHS OCR in its HIPAA breach and criticism investigations.
HIPAA Safety Rule Replace
As for different regulatory work underway at HHS OCR, Noonan stated the company is starting to learn the 4,745 public feedback it acquired on its proposed replace to the HIPAA safety rule, which was printed on Jan. 6 within the closing days of the Biden administration (see: What’s in HHS’ Proposed HIPAA Safety Rule Overhaul).
HHS OCR collected public remark via March 7. “We learn each single remark – and can set up the feedback by class … to attempt to get a way of the general public response to the proposals,” he stated.
As soon as these feedback are reviewed, “we are going to work inside HHS on what future actions we would take.”
The HIPAA safety rule, which was first finalized in 2003, has not had a serious replace since then, apart from some modifications in 2012 associated to the HITECH Act which made enterprise associates instantly accountable for HIPAA compliance.
