Credit: putilov denis/Adobe Stock

Federal regulators want to begin a new wave of health information privacy and data security audits, according to attorneys at Foley & Lardner.

The U.S. Department of Health and Human Services has defined benefits brokers, benefits consultants and benefit plan administrators as "business associates" of "covered entities" for purposes of enforcing the Health Insurance Portability and Accountability Act health information requirements.

Recommended For You

That means any new HIPAA audits could affect benefits brokers and consultants as well as covered entities like health insurance companies, hospitals and medical offices.

Brokers' efforts to prepare for the audits and the audits themselves could help protect firms against ransomware attacks and other cybersecurity threats, but any audits could also expose brokers to the possibility of facing fines or other penalties.

The HHS Office for Civil Rights audited 41 business associates and 166 covered entities in 2016 and 2017, then stopped conducting new audits.

Since 2017, hackers have launched massive attacks on health care organizations like UnitedHealth's Change Healthcare unit.

The HHS Office of the Inspector General blasted its colleagues' efforts to enforce HIPAA health privacy and data security compliance in a report posted in November 2024.

The HHS Office for Civil Rights "oversight of its HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates," officials said.

When the HHS Office for Civil Rights conducted the 2016-2017 HIPAA audits, it looked at only eight of the 180 HIPAA requirements and just two of the requirements included involved data security. "None were related to physical and technical security safeguards," officials said.

Correspondence included in the Office of the Inspector General report shows that the HHS Office for Civil Rights hoped to conduct new HIPAA audits in late 2024 or early 2025, Michaela Wiese and two other Foley & Lardner attorneys wrote in a new commentary.

"The key takeaway is that OCR is committed to recommencing HIPAA audits, and the scope will be expanded from the previous audits," the attorneys said.

The attorneys said a business associate should:

  • Conduct a comprehensive HIPAA security risk analysis.
  • Establish HIPAA privacy, security and data breach policies.
  • Provide HIPAA training for workers.
  • Get HIPAA business associate agreements with any business associates.
  • Put the required content in its HIPAA privacy practices notice.
  • Verify that a prominent link to the privacy notice is displayed on its homepage.
One question is whether the administration of President-elect Donald Trump will move ahead with any auditing programs.

But many Republicans in Congress have expressed support for efforts to improve data security. In June, for example, Rep. Cathy McMorris Rodgers, R-Wash., worked with another Republican and two Democrats to introduce the American Privacy Rights Act of 2024.

Because of that history, HIPAA data security could be an area where work will continue along a similar track.

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Allison Bell

Allison Bell, a senior reporter at ThinkAdvisor and BenefitsPRO, previously was an associate editor at National Underwriter Life & Health. She has a bachelor's degree in economics from Washington University in St. Louis and a master's degree in journalism from the Medill School of Journalism at Northwestern University. She can be reached through X at @Think_Allison.