The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) will use all its tools, including reviving the HIPAA compliance audit, to enforce compliance with the HIPAA Security Rule as it applies to covered entities and business associates.  The last phase of audits, conducted between 2016 and 2017, consisted of documentation requests that uncovered many entities' failure to implement a risk analysis and risk management program, among other deficiencies. As noted in the HIPAA Summit Recap, HHS intends to move forward with a crucial new risk analysis initiative.  In addition, OCR will focus on HIPAA Security Rule compliance related to organizations' use of tracking technologies such as pixels and SDKs as an enforcement priority. 

The likelihood of being subject to a HIPAA compliance audit for most organizations remains low; however, organizations that have become business associates, such as technology providers and advertising agencies since HHS' last audits in 2017, should take notice of the new regulatory environment surrounding health data, both inside and outside of HIPAA. Furthermore, recent high-profile data breaches and increased litigation in health care and beyond concerning online tracking technologies will keep health data in the spotlight as enforcement increases.  Organizations should be assessing their risk of enforcement by OCR, FTC, and state attorneys general, as well as suits by private litigants.