OCR's HIPAA Audit Program

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) requires HHS to periodically audit covered entities and business associates for their compliance with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules.

The HHS Office for Civil Rights (OCR)'s HIPAA Audit Program is an important part of OCR’s overall health information privacy, security, and breach notification compliance activities. OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations. The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches. OCR will broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.

On this page:

2024-2025 HIPAA Audits Initiated

OCR has initiated it’s 2024-2025 HIPAA Audits. Ransomware, destructive malware, and other forms of malicious hacking present a growing and ongoing threat to the U.S. health care and public health sector and the privacy and security of electronic protected health information. In recent years, HIPAA covered entities (health plans, health care clearinghouses, and most health care providers) and business associates have experienced significant cyberattacks, which have impacted hospital operations, patient care, access to patient records and have had massive financial ramifications. Substantial increases in large breaches involving hacking and ransomware reported to OCR and the number of individuals affected by large breaches demonstrates the need for HIPAA covered entities and their business associates to ensure that they are complying with the HIPAA Security Rule.

The 2024-2025 HIPAA Audits will review 50 covered entities’ and business associates’ compliance with selected provisions of the HIPAA Security Rule most relevant to hacking and ransomware attacks. These Audits will give OCR an opportunity to examine mechanisms for compliance, identify promising practices for protecting the privacy and security of health information, and discover risks and vulnerabilities that may not have been revealed by OCR’s enforcement activities. The Audits will benefit the selected covered entities and business associates by providing them with OCR’s assessment of their Security Rule compliance in the selected provisions and information on how to improve their cybersecurity of electronic protected health information.

OCR will publish an industry report summarizing OCR’s findings after the 2024-2025 HIPAA Audits are completed.

HIPAA Audit Survey to be sent to 2016-2017 HIPAA Audit participants

OCR is issuing an electronic “HIPAA Audit Participant Survey” to the HIPAA covered entities and business associates that participated in the 2016-2017 HIPAA Audits. The survey seeks information to evaluate the effectiveness of the 2016-2017 HIPAA Audits and identify areas of improvement for OCR’s HIPAA Audit Program, as recommended by the Government Accountability Office. This information collection request was published in the federal register on February 12, 2024, and June 3, 2024.

The survey consists of 41 questions and will assist OCR in gathering information relating to the effect of the 2016-2017 HIPAA Audits on the audited entities and the entities' opinions about the Audit process including:

  • Measuring the effect of the 2016-2017 HIPAA Audits on covered entities' and business associates' subsequent actions to comply with the HIPAA Rules;
  • Providing entities with an opportunity to give feedback on the 2016-2017 HIPAA Audits, such as the helpfulness of HHS' guidance materials and communications, the utility of the online submission portal, whether the Audit helped improve entity compliance, and the entities' responses to the Audit findings and recommendations;
  • Providing OCR with information on the burden imposed on entities to collect Audit-related documents and to respond to Audit-related requests; and
  • Seeking feedback on the effect of the 2016-2017 HIPAA Audits on the entities' day-to-day business operations.

The information, opinions, and comments collected using the online survey will be used to improve OCR’s HIPAA Audit Program. The responses received will not be used by OCR in connection with any enforcement activities. The survey will close sixty (60) days from receipt of the survey.

2016-2017 HIPAA Audits Industry Report on health care industry compliance with the HIPAA rules

OCR released its 2016-2017 HIPAA Audits Industry Report that reviewed selected health care entities and business associates for compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

OCR conducted audits of 166 covered entities and 41 business associates and notified these organizations of OCR’s findings.  OCR published this Industry Report to share the overall findings on compliance with the audited provisions of the HIPAA Rules.

Audit Program Protocol

OCR’s HIPAA Audit Program uses a comprehensive audit protocol to review covered entities' and business associates' compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

Read the full Audit Program Protocol.

Content last reviewed