December 17, 2024
In a report issued last month, the HHS Office of Inspector General (OIG) advocated for increased HIPAA audits and enforcement efforts from the Office for Civil Rights. Of particular concern for OIG was the recent increase in cyberattacks and the vulnerability of electronic information protected by HIPAA.
As background, the Office for Civil Rights (OCR) is the HHS agency tasked with implementing and enforcing HIPAA. In 2009, HIPAA’s protections and requirements with respect to electronic protected health information (ePHI) were strengthened by the HITECH Act, which specifically mandates that OCR perform periodic audits on covered entities and business associates. Given the increasing number of successful cyberattacks, ransomware attacks, and other security incidents targeting healthcare organizations, OIG undertook an investigation to determine whether OCR is meeting its HIPAA audit obligations. The report details their findings and outlines their recommendations.
OIG considered OCR’s HIPAA audit program for the time period of January 2016 through December 2020. During this time, OCR conducted 207 audits. All of these were desk audits, with zero comprehensive on-site audits. OCR has not initiated any new audits since 2017, largely due to a lack of financial and staffing resources.
OIG found that OCR did fulfill its requirement under the HITECH Act to perform periodic audits of organizations’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules. However, of the 180 requirements included in the HIPAA Rules, OCR’s audits assessed only eight of those requirements during that period. Those eight requirements included only two Security Rule administrative safeguards – specifically, the responsibility to conduct a security risk analysis and risk management – and zero physical or technical safeguards. Furthermore, where deficiencies were found, OCR did not require audited entities to implement a corrective action plan or confirm implementation. Because of their limited scope and accountability, OIG concludes that OCR’s HIPAA audit program likely was not effective at improving cybersecurity protections at healthcare organizations.
The report contains four recommendations:
OCR agreed with OIG’s first, third, and fourth recommendations, contingent upon receiving the funding and personnel levels needed to accomplish them. They also disclosed their plans to initiate additional HIPAA audits and create a follow-up survey protocol in the near future. However, OCR did not agree with OIG’s second recommendation, pointing out that entities can choose to pay a civil monetary penalty under the HITECH Act instead of correcting HIPAA deficiencies.
The report’s appendices include a description of the scope and methodology of OIG’s review, an outline of the OCR HIPAA audit process, and citations to the applicable federal requirements under HIPAA and HITECH.
Employers who sponsor group health plans—particularly self-insured group health plans that handle PHI—should be aware of OCR’s stated plans to undertake more HIPAA audits soon. For that reason, self-insured group health plans should ensure that they are complying with HIPAA’s requirements, such as regular training for staff members who handle PHI, maintaining written HIPAA policies and procedures, and conducting security risk analyses to identify IT vulnerabilities. With the upcoming change in administration, the priorities, funding, and personnel at the OCR and other federal agencies will almost certainly experience a shift. However, HIPAA compliance and cybersecurity remain important issues.
The Office for Civil Rights Should Enhance Its HIPAA Audit Program to Enforce HIPAA Requirements and Improve the Protection of Electronic Protected Health Information
PPI Benefit Solutions does not provide legal or tax advice. Compliance, regulatory and related content is for general informational purposes and is not guaranteed to be accurate or complete. You should consult an attorney or tax professional regarding the application or potential implications of laws, regulations or policies to your specific circumstances.
Sign up to have it delivered straight to your inbox.
Sign up