The Limits of HIPAA Auditing and What Needs to Change

The following is a guest article by Jay Trinckes, Data Protection Officer/CISO at Thoropass

The healthcare industry faces a critical cybersecurity challenge. Despite the stringent requirements outlined in the Health Insurance Portability and Accountability Act (HIPAA), enforcement remains alarmingly limited. A recent report revealed that the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) typically only assesses eight out of 180 HIPAA provisions during audits, leaving hospitals and healthcare organizations exposed to significant compliance and security risks. Compounding this issue, OCR may now have even fewer resources to enforce HIPAA regulations amid shifting federal priorities and ongoing budget cuts in Washington.

This enforcement gap highlights a harsh reality – IT teams cannot rely solely on external audits to ensure regulatory compliance and data security. They must take ownership of their own security and work toward building internal compliance frameworks that go beyond the minimum requirements. 

Understanding the Gap

Anyone familiar with HIPAA’s inner workings will not be surprised by the findings of the OCR report. This enforcement gap has been a constant issue since HIPAA was established over 20 years ago. The government simply lacks the resources to conduct thorough audits of every healthcare organization across the United States. Instead, regulators largely rely on self-reporting, accepting organizations’ claims of compliance without verifying them. As a result, audits are rare and limited in scope, leaving substantial gaps in enforcement and exposing healthcare organizations to greater risks.

Compounding this issue is the reactive nature of the current regulatory model. This approach focuses on addressing problems after they arise, rather than conducting regular assessments to prevent them in the first place. The lack of enforcement creates a dangerous environment in which critical vulnerabilities can go unnoticed until it’s too late.

Other sectors of the government are addressing this issue by adopting more stringent models that HHS should consider. For instance, the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) mandates independent assessments for all DoD contractors and subcontractors to ensure compliance with rigorous cybersecurity standards. Implementing a similar framework in healthcare could be what’s needed to enhance accountability and reduce reliance on self-reported compliance.

However, relying on potential future regulatory changes is not a viable strategy. IT teams must take the lead in closing compliance gaps and strengthening their organization’s cybersecurity posture before the next breach occurs. 

Building an Internal Framework

I’m a big believer in adopting a comprehensive internal compliance framework that exceeds baseline regulatory requirements. At the core of this strategy is implementing an integrated management system (IMS) that covers security, privacy, and quality management. This holistic framework enables healthcare organizations to manage multiple compliance areas under a unified structure, reducing redundancies and improving efficiency. An IMS also ensures that data protection efforts align with broader organizational goals while maintaining continuous oversight of sensitive patient information.

Healthcare IT teams should also leverage established industry standards and frameworks. For example, NIST SP 800-66 Revision 2 provides specific guidance for implementing the HIPAA Security Rule, while the NIST Cybersecurity Framework (CsF) and NIST Privacy Framework offer broader guidance for managing cybersecurity risks and privacy obligations. These frameworks help translate HIPAA’s legal mandates into specific security practices, making compliance both measurable and enforceable.

To further strengthen internal processes, organizations can adopt international standards like ISO 27001 for information security and ISO 27701 for privacy management. These globally recognized certifications provide a structured approach to managing sensitive data while demonstrating a clear commitment to security best practices. While HIPAA itself lacks a dedicated certification program, healthcare organizations can pursue HITRUST CSF certification, which includes an independent third-party review. This certification is tailored specifically for healthcare and helps validate that IT systems meet stringent compliance and data security standards.

Combined, these measures bring tangible benefits: stronger regulatory adherence, enhanced patient trust, and greater operational efficiency. They also build long-term resilience against emerging cybersecurity threats – an essential safeguard in an industry that remains a prime target for cyberattacks. 

Quick Security Fixes

Hospitals can immediately enhance their cybersecurity posture by implementing some straightforward yet powerful technical fixes. First, ensure that all protected health information (PHI) is encrypted both at rest and in transit. Encryption creates an additional layer of protection, making sensitive data unreadable to unauthorized users even if a breach occurs. Another critical step is enabling multi-factor authentication (MFA) for accessing PHI. MFA requires users to verify their identity through multiple methods, significantly reducing the risk of compromised credentials.

To further strengthen security, hospitals should adopt advanced tools that focus on tracking and protecting the data itself. Data loss prevention (DLP) tools can track the movement of PHI across systems, ensuring that sensitive information doesn’t end up where it shouldn’t. Additionally, AI-powered security tools can analyze vast amounts of data in real time, detecting anomalies and alerting IT teams to potential threats before they escalate. These technologies are continuously evolving, so IT teams should stay abreast of the latest developments and integrate new capabilities as they become available. 

Other Critical Concerns 

With more hospitals moving to cloud or hybrid IT environments, security remains a top priority. Fortunately, many best practices for cloud security mirror those used for on-site systems. Key steps include segmenting networks to keep sensitive data separate, controlling data movement, and using access controls like role-based permissions and security groups. IT teams should also assign specific tasks to dedicated servers and separate standard user roles from privileged accounts.

Third-party vendor risks are another critical security concern. While business associate agreements (BAAs) provide legal protection by requiring vendors handling PHI to comply with HIPAA security standards, IT teams should go a step further. They can request third-party audits or certifications to verify vendors’ compliance. Additionally, it’s wise to ensure that any subcontractors that vendors work with are held to the same security standards through clear contractual obligations. 

Final Thoughts

Healthcare IT teams face a choice: remain reactive, scrambling to fix compliance issues after they surface, or adopt a forward-thinking approach that transforms cybersecurity from a regulatory burden into a strategic advantage. Through building strong internal frameworks, securing IT infrastructure, and holding vendors accountable, hospitals can shift from merely checking boxes to leading the charge in data protection.

About Jay Trinckes

Jay has two decades of experience in cybersecurity and privacy. He advises organizations on security and privacy issues and specializes in privacy, healthcare, medical devices, government, banking and credit unions, and regulatory requirements including HITRUST, HIPAA, GDPR, and CCPR/CCPA. He has extensive experience in information security consulting, privacy, auditing, computer networks, vulnerability and penetration testing, compliance, and risk assessments, and has published multiple books on related topics.