The Next Big Wave: Anticipating a Surge in HIPAA Compliance Audits

Desk audits, onsite audits, invoice audits…and HIPAA compliance audits?! Unfortunately every community pharmacy has some familiarity with third party payor audits, and PAAS National® audit analysts bring their expertise to guide members through the entire audit process, ensuring everything goes as smoothly as possible.

But what about HIPAA compliance audits? With a potential surge in these audits on the horizon, it is important for covered entities (i.e., pharmacies) to evaluate their HIPAA compliance policies and procedures to fortify their program.

You may ask, “Why are these audits being performed?”. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that the Department of Health and Human Services (HHS) conduct periodic HIPAA audits, submit an annual report to Congress on HIPAA compliance, and provide annual guidance on the most effective technical safeguards for meeting Security Rule requirements. The Office for Civil Rights (OCR), within HHS, is tasked with overseeing these responsibilities. To verify OCR was performing their respective duties, the Office of Inspector General (OIG) performed a review of OCR’s HIPAA compliance audit process.

According to the OIG November 2024 brief“OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits. However:

  • OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess ePHI protections and demonstrate a reduction of risks within the health care sector. Specifically:
    • OCR’s audits consisted of assessing only 8 of 180 HIPAA Rules requirements; and
    • Only 2 of those 8 requirements were related to Security Rule administrative safeguards and none were related to physical and technical security safeguards.
  • OCR oversight of its HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates.”

OIG recommended OCR increase the volume and breadth of their audits to raise their assurance that covered entities (like pharmacies) and business associates have complied with the Security Rule. OIG stated these audits will also help OCR provide covered entities with more opportunities to strengthen their security over ePHI.

Additionally, on December 27, 2024, OCR issued a Notice of Proposed Rule Making (NPRM) to modify the HIPAA Security Rule to strengthen cybersecurity protections for ePHI. This is the first time since 2013 that OCR seeks to update the Security Rule. With the dramatic increase in cybersecurity threats, both malicious and unintentional, it seems that updates are more important now than ever. A fact sheet on the NPRM is available online.

Since HIPAA compliance audits may be in your future (along with Security Rule updates), now is a great time to evaluate your HIPAA compliance program to get a good handle on where your vulnerabilities are, what threats you have and the risk of those threats. If you’re not sure where to start, check out the PAAS FWA/HIPAA Compliance Program!

PAAS Tips:

  • Understand the components and importance of a HIPAA Security Risk Analysis
    • Perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the pharmacy’s ePHI
    • Identify and implement reasonable and appropriate physical, technical, and administrative safeguards as required by the HIPAA Security Rule
  • Know the terms
    • Vulnerability – a flaw or weakness in system security procedures, design, implementation or internal controls
    • Threat – the potential for a person or thing to exercise a specific vulnerability (natural, human, and environmental)
    • Risk – a function of the probability that a threat will attack a vulnerability and the resulting impact to the organization
  • PAAS’ FWA/HIPAA Compliance Program members have access to:
    • Update their HIPAA Risk Analysis
    • Complete annual Cybersecurity training on the Member Portal
    • Policies and procedures to comply with HIPAA Privacy, Security and Breach Notification rules which include customized administrative, physical and technical safeguards
    • Contingency Planning and Preparedness
    • Pharmacist experts to support you in FWA/HIPAA Compliance
  • Watch the PAAS National® webinar, Cybersecurity Considerations for Community Pharmacies located on the Member Porta
Sara Hathaway, PharmD