Understanding the new HIPAA audit requirements

The healthcare cybersecurity landscape has changed dramatically since the last HIPAA audits in 2017. According to the HHS Office of Inspector General (OIG) report, reported data breaches affecting more than 500 individuals increased by 102% between 2018 and 2023, with hacking-related breaches soaring by 239%

The current state of HIPAA audits

The recent OIG evaluation revealed major gaps in OCR's HIPAA audit program. While OCR technically fulfilled its requirement under the HITECH Act to perform periodic audits, the implementation was lacking in the following ways:

• Only 8 out of 180 HIPAA rule requirements were assessed
• Just 2 requirements related to Security Rule administrative safeguards
• No evaluation of physical and technical security safeguards
• Lack of mandatory corrective actions for identified deficiencies
• No metrics to evaluate audit effectiveness
• No criteria for initiating compliance reviews

Changes coming to HIPAA audits

Based on OIG's recommendations, the new audit framework will include an evaluation of:

• Physical safeguards:
  • Facility access control systems
  • Workstation security protocols
  • Device and media controls
  • Physical access monitoring
  • Equipment inventory management
• Technical safeguards:
  • End-to-end encryption implementation
  • Multi-factor authentication systems
  • Network segmentation
  • Intrusion detection/prevention systems
  • Automated logging and monitoring
  • Secure backup systems
  • Mobile device management
  • Cloud security configurations
  • Remote access controls

Related: Differences between an IDS and IPS

Strengthened enforcement

OCR will implement the following new standards:

• Documented standards for correcting deficiencies
• Timeline requirements for implementing corrections
• Clear criteria for triggering compliance reviews
• Performance metrics to evaluate audit effectiveness

Implementation Challenges and Constraints

The following are the challenges that face the implementation of these changes:

• Organizational challenges:
  • Limited OCR funding and staffing resources
  • Voluntary nature of current HIPAA audits
  • Resistance to mandatory corrective actions
  • Potential participant deterrence
  • Complex coordination across multiple healthcare entities
• Technical challenges:
  • Legacy system integration issues
  • Cost of implementing new security measures
  • Training requirements for staff
  • Continuous monitoring capabilities
  • Data migration complexities
  • Integration with existing workflows
• Administrative challenges:
  • Upcoming administration changes
  • Resource allocation constraints
  • Timeline management
  • Documentation requirements
  • Compliance tracking mechanisms

What to do now

Healthcare organizations should immediately implement improved security measures. These measures include deploying encryption solutions like the ones offered by Paubox Email Suite, establishing multi-layered authentication systems, installing advanced intrusion detection platforms, implementing a zero-trust network architecture, deploying endpoint protection solutions such as hardware and software, and setting up secure backup procedures. Additionally, they should conduct risk assessments by reviewing administrative safeguards, evaluating physical security measures, assessing technical controls, identifying cybersecurity vulnerabilities, and documenting remediation plans.

FAQs

What is the HITECH Act?

The HITECH Act is a law that was created to promote and expand the adoption of health information technology, specifically, the use of electronic health records (EHRs) by healthcare providers. The Act also requires entities covered by the HIPAA to report data breaches, that affect 500 or more persons, to the United States Department of Health and Human Services (HHS), to the news media, and to the people affected by the data breaches. 

Related: What are the HIPAA requirements after a breach?

What are multi-factor authentication systems?

Multi-factor authentication (MFA) systems enhance security by requiring users to verify their identity using multiple forms of authentication. Typically, these systems combine something the user knows (a password or PIN), something the user has (a smartphone or hardware token), and something the user is (biometric verification like a fingerprint or facial recognition).