HHS OCR Launches New Round of HIPAA Compliance Audits

Audits Focus on HIPAA Security Rule Provisions Related to Ransomware, Hacking Marianne Kolbasuk McGee (HealthInfoSec) • March 25, 2025

The U.S. Department of Health and Human Services has quietly resumed HIPAA compliance audits of covered entities and business associates for the first time in nearly a decade.

See Also: Using the Netskope HIPAA Mapping Guide

With the surge in ransomware and other hacking incidents being reported to federal regulators in recent years, the focus of the audits are on provisions of HIPAA most relevant to these attacks, said Tim Noonan, HHS Office for Civil Rights deputy director of health information privacy, data and cybersecurity during a prerecorded virtual HIPAA summit that aired on Tuesday.

The 2024-2025 audits - which kicked off in late December - will include 50 covered healthcare organizations and business associates, he said.

Auditors are focusing on compliance with certain provisions of the HIPAA security rule ...