Healthcare
,
HIPAA/HITECH
,
Trade Particular
Audits Deal with HIPAA Safety Rule Provisions Associated to Ransomware, Hacking
The U.S. Division of Well being and Human Companies has quietly resumed HIPAA compliance audits of lined entities and enterprise associates for the primary time in practically a decade.
See Additionally: Utilizing the Netskope HIPAA Mapping Information
With the surge in ransomware and different hacking incidents being reported to federal regulators lately, the main focus of the audits are on provisions of HIPAA most related to those assaults, mentioned Tim Noonan, HHS Workplace for Civil Rights deputy director of well being info privateness, knowledge and cybersecurity throughout a prerecorded digital HIPAA summit that aired on Tuesday.
The 2024-2025 audits – which kicked off in late December – will embody 50 lined healthcare organizations and enterprise associates, he mentioned.
Auditors are specializing in compliance with sure provisions of the HIPAA safety rule that correlate with stopping ransomware and different hacking incidents that observe main well being knowledge breach developments, he mentioned. From 2020 by way of 2024, hacking incidents have elevated 30% and ransomware assaults rose 45% in main well being knowledge breaches reported to the company, Noonan mentioned.
In 2024, 81% of main breaches affecting 500 or extra people reported to HHS OCR concerned hacking, he mentioned.
Noonan didn’t elaborate on which provisions of the HIPAA safety rule are being examined, nor did he describe how the organizations are being chosen for audits.
HHS OCR didn’t instantly reply to Info Safety Media Group’s request for extra particulars concerning the compliance audits, together with timeline and the precise HIPAA safety rule provisions being examined.
HHS OCR final 12 months mentioned it deliberate to resurrect the audits, which had been mandated underneath the HITECH Act of 2009 however had been final carried out in 2016-2017 (see: How HHS OCR is Boosting HIPAA Enforcement: Right here Come Audits).
HHS in February 2024 printed within the Federal Register a discover saying that OCR would conduct a survey of HIPAA-regulated organizations that had been topics of the 2016-2017 compliance audits to be able to higher assess the effectiveness of this system and the place enhancements needs to be made (see: They’re Again: HHS OCR Plans to Resurrect Random HIPAA Audits).
Again in November, the HHS Workplace of Inspector Common issued a report recommending that HHS OCR resume its dormant HIPAA audit program and in addition doc and implement requirements and steering for guaranteeing that deficiencies recognized throughout HIPAA audits are corrected in a well timed method (see: Watchdog Report: HHS OCR Ought to Beef Up HIPAA Audit Program).
At the moment, HHS OCR issued a response to the HHS OIG report saying that stretched assets on the company had been a think about not relaunching the audit program sooner. “HHS OCR has had practically flat appropriations for 20 years, even with OCR’s continued requests for extra appropriations and assets, which has resulted in unsustainable workloads,” the company wrote.
HHS OCR on a webpage concerning the 2024-2025 audits mentioned the brand new batch of audits will give the company “a possibility to look at mechanisms for compliance, establish promising practices for shielding the privateness and safety of well being info, and uncover dangers and vulnerabilities that will not have been revealed by OCR’s enforcement actions.”
HHS OCR will publish an trade report summarizing its findings after the 2024-2025 HIPAA audits are accomplished.
After HHS OCR accomplished its 2016-2017 audits – which reviewed the compliance of 166 lined corporations and 41 enterprise associates – it took the company till December 2020 to lastly challenge a report on its findings (see: At Final, Outcomes of HIPAA Compliance Audit Program Revealed).
The findings from these audits – which included the failure of many organizations to conduct a safety threat evaluation and the failure to offer sufferers entry to their data – are nonetheless related weaknesses spotlighted by HHS OCR in its HIPAA breach and grievance investigations.
HIPAA Safety Rule Replace
As for different regulatory work underway at HHS OCR, Noonan mentioned the company is starting to learn the 4,745 public feedback it acquired on its proposed replace to the HIPAA safety rule, which was printed on Jan. 6 within the closing days of the Biden administration (see: What’s in HHS’ Proposed HIPAA Safety Rule Overhaul).
HHS OCR collected public remark by way of March 7. “We learn each single remark – and can arrange the feedback by class … to attempt to get a way of the general public response to the proposals,” he mentioned.
As soon as these feedback are reviewed, “we’ll work inside HHS on what future actions we would take.”
The HIPAA safety rule, which was first finalized in 2003, has not had a significant replace since then, other than some modifications in 2012 associated to the HITECH Act which made enterprise associates instantly responsible for HIPAA compliance.
