listen to article
This voice is automatically generated. Please let us know if you have any feedback.
Diving overview:
The Office of Civil Rights, which oversees HIPAA enforcement, needs to improve its program for auditing compliance with privacy and security laws, according to a report released Monday by the HHS Office of Inspector General. OIG said that while OCR met the requirement to conduct periodic HIPAA audits, the program was too narrow in scope to effectively assess the protection of an organization's health data and reduce risk. Overall, the audit was not effective in improving the cybersecurity of healthcare companies and their business partners. This is a major concern for regulators and lawmakers as cybercriminals increasingly target the industry.
Dive Insight:
The report analyzed how OCR conducted HIPAA audits from 2016 to 2020 and found that the agency's programs rarely evaluated the law's requirements.
The audit assessed only eight of the 180 HIPAA requirements, the OIG said. These eight requirements include the evaluation of two administrative safeguards under HIPAA's Security Rule, which require covered entities to analyze and manage risks to protected health information.
However, according to the OIG, the audit does not require any physical or technical access to a health care organization's data intended to prevent unauthorized actors, such as hackers, from gaining access to technology systems and exposing protected data. The use of protective measures was not assessed.
“(…) HIPAA audits are narrow in scope and may be used by organizations such as hospitals that do not have physical and technical safeguards defined in the security regulations in place to protect ePHI from common cybersecurity threats. ”, the watchdog said. I wrote this in the report.
The agency's audit program also overlooked ways to address noncompliance, the OIG said. OCR did not require corrective actions from the companies it audited, and it rarely initiated additional reviews when significant problems were found during audits.
The agency also did not monitor the results of its audit program or document the frequency of audits as of 2020, according to the report.
The watchdog organization requires OCR to expand the scope of its audit program, document standards to ensure companies remediate issues found during assessments, and define standards for when agencies should conduct compliance reviews. and proposed determining metrics to evaluate the effectiveness of HIPAA audits.
OCR agreed with most of the recommendations, but added that the agency's budget is small and it has not yet received additional funding or personnel to enforce HIPAA.
The agency's budget remained stable at approximately $38 million from fiscal year 2018 to fiscal year 2020. Meanwhile, OCR received more complaints and reports of large-scale data breaches, and the number of investigative staff decreased by 30% from fiscal year 2010 to fiscal year 2023, wrote OCR Director Melanie Fontes Reiner. To O.I.G.
“These requested additional resources were not received, resulting in a lack of sufficient funds to perform all required operational activities, resulting in HIPAA audits being conducted more frequently, on a larger scale, or with a greater number of people.” We have fewer staff and investigators to conduct them,” she wrote.
The agency disagreed with the OIG's recommendation to document and implement standards to ensure that problems found in HIPAA audits are corrected. OCR argued that the law gives covered entities the option of paying a civil penalty in lieu of resolving an investigation with a remediation plan. The agency added that resource constraints have hindered the implementation of corrective action plans and that HIPAA audits are intended to provide technical assistance rather than make corrections.
