The U.S. Department of Health and Human Services' Office of Inspector General investigated how the Office for Civil Rights conducted its Health Insurance Portability and Accountability Act periodic audit program from January 2016 to December 2020. They found that OCR was largely ineffective in preventing medical information breaches. suggests a new report.
After evaluating OCR's program for conducting periodic HIPAA audits, OIG recommended expanding its coverage to better implement the requirements of the 2009 HITECH Act. This extends criminal and civil penalties to business associates of covered entities.
Why is it important?
OCR met requirements under the HITECH Act to conduct periodic HIPAA audits, but its analysis focused too narrowly on evaluating physical and technical safeguards, the OIG said Friday. concluded in a report published in
“OCR's oversight of the HIPAA audit program has likely been ineffective in improving companies' cybersecurity protections,” the OIG said in its findings.
The watchdog audited how OCR managed its HIPAA audit program and reviewed 30 of the 207 final HIPAA audit reports and related documents produced by OCR from 2016 to 2020.
When OCR conducted a HIPAA audit during that period, it reviewed eight of the 180 HIPAA rule requirements. OIG notes that two of these eight requirements relate to the security rule's administrative safeguards (security risk analysis and risk management), but none relate to physical and technical security safeguards. said.
Security flaws in OCR's audit program go back more than a decade, the OIG said in a new report.
Healthcare providers and business stakeholders have struggled to implement administrative safeguards required by the HIPAA Security Rule, the OIG said, and OCR concluded after conducting a HIPAA audit in 2012. .
“However, in general, only assessing the two administrative security requirements is sufficient to assess the risks within the healthcare sector and determine the requirements for (electronically protected health information) that should be implemented as required by the (HIPAA) security regulations. “This is not sufficient to determine the effectiveness of security protections,” the OIG said.
Although OCR performed the necessary audits, the organization was able to get away with not fully complying with HIPAA security requirements.
“Furthermore, HIPAA audits are narrow in scope and cannot identify organizations such as hospitals that do not have physical and technical safeguards defined in the security regulations in place to protect ePHI from common cybersecurity threats. “It is highly likely that this occurred,” the OIG said.
Prior to the most recent audit of OCR's HIPAA Audit Program, the oversight agency reviewed the HITECH legal requirements, the requirements of the HIPAA Implementing Regulations, OCR's policies and procedures regarding implementation of HITECH requirements and enforcement of the HIPAA Regulations, and the Congress. The agency's HIPAA Compliance Report and the cyber-related guidance the agency provided to the healthcare industry from 2016 to 2020.
The OIG recommends that OCR:
Expand the scope of HIPAA audits to assess compliance with security rule physical and technical safeguards. Document and implement standards and guidance to ensure deficiencies identified during HIPAA audits are corrected in a timely manner. The authorities disagreed with this. Define and document criteria for determining whether compliance issues identified during a HIPAA audit require OCR to initiate a compliance review. Define metrics to monitor the effectiveness of OCR's HIPAA audits in improving audited entities' protection of ePHI and periodically review whether these metrics need improvement.
If OCR agrees with the three recommendations, the agency provided OIG with detailed steps taken to date and plans to take in response, according to a statement from HHS.
At issue is a crackdown on healthcare providers fixing deficiencies discovered during HIPAA audits. “HIPAA audits are designed to be voluntary and are intended to provide technical assistance rather than force remediation,” the OIG said in its response to the new effectiveness review. Ta.
“OCR notes that under the HITECH Act, companies can choose to pay civil penalties in lieu of addressing HIPAA deficiencies through remediation plans, forcing companies to sign resolution agreements and quickly fix problems. “No,” the OIG added.
Fines for OCR security audits are high, and healthcare organizations are interested in taking steps to avoid them.
As the federal government's HIPAA auditor, OCR told the OIG that it has appealed to Congress for authority to seek injunctive relief. “This will allow OCR to work with the Department of Justice to seek relief in federal court to ensure compliance with HIPAA,” the rule. ”
bigger trends
HHS develops national standards for the use and dissemination of health information, including the Privacy Rule, Security Rule, and Breach Notification Rule, which are standards for protecting ePHI under HIPAA, and in August 2009, adopted the Privacy Rule and Security Rule. Delegated authority to OCR to implement and enforce. Failure to comply will result in civil monetary penalties.
OCR piloted an audit program in 2011, and in its 2013 review of the audit program, OCR found that OCR met some federal requirements related to oversight and enforcement of the HIPAA Security Rule. However, it said it found that there was limited assurance that covered entities were complying with security regulations.
At the time, the OIG recommended that the agency strengthen its regular audits under the HITECH Act to ensure that companies were complying with the HIPAA Security Rule.
In 2016, during the second wave of HIPAA audits, OCR announced that it would conduct on-site HIPAA audits of hospitals the following year.
“We're looking for evidence that you have policies and procedures in place,” OCR Senior Advisor Linda Sanchez said at the 2016 HIMSS and Healthcare IT News Privacy and Security Forum .
“The two big challenges we face are risk analysis and risk management implementation.”
OCR's investigation found that years of systematic non-compliance with the HIPAA Security Rule led to large-scale breaches of PHI, resulting in millions of dollars in fines.
In its review of the HIPAA audit program, OCR reiterated what it has said many times:
Because negotiating solutions and initiating formal enforcement actions requires significant resources, the OIG has stated that it has “financial resources to pursue corrective action plans and penalties against all entities with deficiencies in HIPAA.” Or they don't have the human resources.”
In October, HHS submitted proposed amendments to the HIPAA Security Rule to the Office of Information and Regulatory Affairs to strengthen the cybersecurity of ePHI. After the White House considers the proposal, HHS may publish a notice of proposed rulemaking for public comment.
“These amendments will strengthen HIPAA-regulated entity protection (ePHI) requirements to prevent, detect, contain, mitigate, and recover from cybersecurity threats,” OCR wrote in its proposal summary. “This will improve cybersecurity in the sector.”
OCR told Healthcare IT News in an email that the agency plans to release a proposed rule next month when amendments to the HIPAA Security Rule are submitted.
The American Hospital Association and other organizations have rejected HHS' proposals to mandate cybersecurity requirements and penalize hospitals for cyberattacks.
On record
“For example, OCR did not require audited companies to address deficiencies by implementing or verifying corrective action,” the OIG said in its findings.
“Furthermore, OCR did not monitor the results of the HIPAA audit program, which is consistent with OCR’s documented processes and procedures for implementing these audit steps, including timely resolution of identified deficiencies.” This happened because of a lack of knowledge,” the watchdog continued.
“If there is no response from the entity, OCR will determine whether any corrective actions have been or will be taken to address deficiencies that, if left unchecked, could impact patient data, care, or safety. We do not promise to do so.”
