The Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) is gearing up to resume its privacy and security audit program in 2014, following a pilot program conducted in 2012-2013.

The audits, based on compliance with both HIPAA (Health Insurance Portability and Accountability Act) and this year's HIPAA Omnibus Rule, will target not only covered entities but also business associates, to whom liability was extended in the Omnibus Rule.

At a Privacy and Security Forum in Boston on Sept. 23, OCR Director Leon Rodriguez announced that audits will be "off and running in the next calendar year," which begins this Oct. 1.

The test program was run by accounting firm KPMG, but OCR is currently hiring audit personnel and interviewing potential contractors for the next round.

Rodriguez said initial auditing found that companies are not conducting thorough enough risk analyses of the data security measures they have in place. He also said OCR hopes to levy and collect $4.5 million in non-compliance penalties to help fund the upcoming program.