OIG: OCR should expand scope of HIPAA audit program

The HHS Office of Inspector General recommended that the Office for Civil Rights expand its HIPAA audit program and define metrics for monitoring audit effectiveness, following an uptick in healthcare cyberattacks and data breaches over the last several years.

The increase in cyberattacks led OIG, HHS' watchdog agency, to wonder whether OCR's audits, enforcement activities and guidance were effective at protecting electronic protected health information (ePHI).

As a result, OIG launched its own audit to evaluate OCR's program for performing periodic HIPAA audits, which was required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Specifically, OIG audited how OCR ran its HIPAA audit program from January 2016 to December 2020 and measured the audit process against the HITECH Act's statutory requirements and the HIPAA Enforcement Rule's regulatory requirements.

OIG found that OCR did fulfill its duties under the HITECH Act to perform periodic audits of covered entities' compliance with HIPAA. However, the audits did not include a large portion of the safeguards required for HIPAA compliance.

"The audits consisted of assessing only 8 of 180 HIPAA Rules requirements included in OCR's audit protocol," OIG noted. "Of those eight, OCR's audits included only two Security Rule administrative safeguards and no physical and technical security safeguards."

OIG reasoned that assessing just two HIPAA Security Rule administrative safeguards was not substantive enough to truly assess the cyber-risks to the healthcare sector and the effectiveness of the entity's security protections.

"In addition, because of their narrow scope, the HIPAA audits most likely did not identify entities, such as hospitals that did not implement the physical and technical safeguards defined in the Security Rule to protect ePHI against common cybersecurity threats," OIG stated.

OCR also did not require audited entities to implement corrective actions, leaving entities with little accountability to improve their security controls and reduce risk.

Based on its findings, OIG recommended that OCR expand the scope of its HIPAA audits to address more physical and technical safeguards and implement standards for ensuring that deficiencies identified during the audits are actually corrected.

OIG also suggested that OCR determine criteria for whether a compliance issue identified during a HIPAA audit should result in OCR conducting a compliance review and defining metrics for monitoring the effectiveness of these audits and protecting ePHI.

OCR agreed with three of the four recommendations but noted that the office needs more funding and staffing resources to audit every provision within HIPAA.

"OCR stated that it will focus future audits on specific provisions based on a variety of factors, including industry trends and prevalent risks to protected health information," the report stated. "OCR indicated that future audits may include selected provisions from the HIPAA Security Rule, including physical or technical safeguards."

Despite agreeing with most of OIG's recommendations, OCR did not concur with OIG's recommendation to "document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner."

OCR said that under the HITECH Act, entities are permitted to choose to pay civil money penalties instead of addressing HIPAA deficiencies and that HIPAA audits were designed to be voluntary rather than an enforcement mechanism.

The office noted that it had sought legislation from Congress to authorize it to seek injunctive relief, which would allow it to pursue solutions in court to secure HIPAA compliance. Again, OCR noted that it currently does not have the staff or budget to roll out corrective action plans for every entity that falls short of HIPAA compliance.

In response, OIG maintained its recommendation and encouraged OCR to continue to seek authority for injunctive relief.

"Although we have not yet confirmed whether OCR effectively implemented our recommendations, we are encouraged by OCR's comments," OIG concluded. "We look forward to receiving and reviewing documentation related to OCR's implementation through our audit resolution process."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.