Auditors from the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) recently got a taste of their own medicine, as a audit conducted by the HHS Office of Inspector General found that OCR’s HIPAA audit implementation was too limited in scope to effectively evaluate electronic protected health information (ePHI) protections and demonstrate a reduction in risks within the healthcare sector.
In its report to Congress for calendar year 2022, OCR stated that it received 64,592 reported breaches affecting 42 million people and that the majority of security incidents associated with these reported breaches were related to hacking of healthcare providers. . The report also states that between 2018 and 2022, the number of reported violations increased.
In its report, the OIG stated that the increase in the number of successful cyber attacks against healthcare entities’ IT systems raised the question of whether OCR’s audits, guidance, and enforcement activities to ensure protection of ePHI have been effective.
The OIG found that the OCR audits consisted of evaluating only eight of the 180 requirements of the HIPAA Rules; and only two of those eight requirements were related to the administrative safeguards of the Security Rules and none were related to the physical and technical security safeguards.
The report also says OCR’s oversight of its HIPAA audit program was not effective in improving cybersecurity protections at covered entities and business associates.
The OIG made a series of recommendations to OCR to improve its HIPAA audit program, including expanding the scope of its HIPAA audits to evaluate compliance with the physical and technical safeguards of the HIPAA Security Rule, document and implement standards and guidance. to ensure that deficiencies identified during HIPAA audits are corrected in a timely manner and define metrics to monitor the effectiveness of OCR’s HIPAA audits to enhance protections for audited covered entities and business partners about ePHI and periodically review whether these metrics should be refined. The full recommendations are in the report.
OCR agreed with three of the recommendations and detailed the steps it has taken and plans to take in response. But OCR stated that under the HITECH Act, entities can choose to pay civil monetary penalties instead of addressing HIPAA deficiencies through corrective action plans and cannot be required to sign resolution agreements or correct problems with readiness.
OCR indicated that it has requested legislation from Congress to authorize it to seek injunctive relief, which would allow OCR to work with the Department of Justice to seek remedies in federal court to ensure compliance with HIPAA rules.
Additionally, OCR stated that it does not have the financial or personnel resources to implement corrective action plans or sanctions for each entity with HIPAA deficiencies and stated that the process of negotiating resolution and initiating formal enforcement actions is resource-intensive and would hinder other essential research. .
OCR also stated that HIPAA audits were designed to be voluntary and intended to provide technical assistance rather than impose corrections. OCR stated that imposing requirements on audited entities to correct deficiencies in a timely manner could deter entities from participating in HIPAA audits. Finally, OCR stated that it agrees with the implementation of criteria for compliance monitoring reviews; However, he noted that entities would still have the option of paying a civil monetary penalty instead of correcting deficiencies.
In response, the OIG acknowledged that OCR faces significant challenges in managing the HIPAA Rules, which may limit its ability to implement additional compliance tools. “We encourage OCR to continue to request the funding, staff, and other resources necessary to conduct its HIPAA audits and enforce HIPAA rules, especially as the number of cybersecurity and privacy threats continues to increase. “We remain concerned that OCR’s HIPAA audits, as implemented, do not provide assurance that audited entities are in compliance with the requirements of the HIPAA Rules,” the report states.
The OIG acknowledged that OCR decided to make participation in HIPAA audits voluntary; however, he disagreed with OCR’s interpretation of the potential effect of civil monetary penalties. The primary goal of these audits is for OCR to ensure that entities are complying with HIPAA regulations to protect the privacy and security of protected health information (PHI).
Additionally, OIG stated that although the HITECH Act does not specify that entities must resolve HIPAA audit deficiencies, OCR’s response omitted that entities still have to comply with the HIPAA Rules and that civil monetary penalty payments They do not exempt entities from compliance. Even after a civil monetary penalty is imposed, the entity would need to take steps to correct identified and unresolved deficiencies to comply with the HIPAA Rules. Therefore, entities should address any significant OCR deficiencies identified in audits. The OIG maintained the validity of its recommendation to OCR to document and implement standards and guidelines to ensure that deficiencies identified during HIPAA audits are corrected in a timely manner to protect PHI.
