OIG Recommends Changes to HIPAA Audit Program to Strengthen Data Protections, Implications for Regulated Entities

12.04.2024

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is required by law to perform periodic audits of covered entities and business associates to ensure their compliance with HIPAA Security Rule requirements. These periodic audits are known as “HIPAA audits.”

But the increasing number of successful cyberattacks against health care organizations has cast doubts on the effectiveness of OCR’s HIPAA audit program in ensuring the protection of electronic protected health information (ePHI); between 2018 and 2023, reported breaches affecting more than 500 records increased by 102%, with the number of hacking-related breaches reported to OCR skyrocketing by 239%.

Reacting to concerns about the sufficiency of OCR’s enforcement, the HHS Office of Inspector General (OIG), recently evaluated the effectiveness of OCR’s HIPAA audit program. 

OIG’s report, issued last week, found that OCR’s oversight of its HIPAA audit program is not effective at improving cybersecurity protections of covered entities and business associates – no surprise, given that OCR has not even conducted a HIPAA audit since 2017. OIG recommended a series of steps that OCR should take to enhance its HIPAA audit program, highlighting the urgency of strengthening cybersecurity measures in the healthcare industry. Covered entities and business associates should be aware of these recommendations, as OCR’s implementation of the changes may cause a shift in the regulatory environment for HIPAA compliance.

For more information, the full report published by OIG (A-18-21-08014) is available here, and a summary of key points from the report is available here.

OIG’s Findings

OIG found that although OCR technically fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits, the audit implementation was deficient. Specifically, OCR’s audits assessed only 8 of the 180 HIPAA Rules requirements, and only 2 of those 8 were related to Security Rule administrative safeguards – and none were related to physical and technical security safeguards such as encryption, access controls, network security measures, and ransomware protections. OIG said that the narrow scope of OCR’s HIPAA audits meant they most likely did not identify entities, such as hospitals, that did not implement the physical and technical safeguards defined in the Security Rule to protect ePHI against common cybersecurity threats.

Additionally, OIG observed that OCR did not require audited entities to respond to deficiencies by implementing corrective actions and confirming implementation, nor did OCR monitor HIPAA audit program outcomes. Further, OCR failed to define criteria for initiating compliance reviews for organizations with serious compliance issues, limiting OCR’s ability to enforce meaningful change.

Finally, OIG notes that OCR has not established metrics to evaluate the effectiveness of its audits or monitor whether its audits lead to improved cybersecurity protections for ePHI. As a result, OCR lacks assurance that its audits are achieving their intended goals of cybersecurity reducing risks and vulnerabilities.

OIG’s Recommendations

In line with its findings, OIG recommends four key changes for improving OCR's HIPAA audit program:

  1. OCR should expand the scope of its HIPAA audits and assess compliance with physical and technical safeguards under the Security Rule, in addition to administrative safeguards. These safeguards include critical protections such as encryption, access controls, network security measures, and ransomware protections.
  2. OCR should document and enforce standards for correcting deficiencies identified during its audits and ensure timely implementation of these corrections.
  3. OCR should establish clear criteria for initiating compliance reviews when audits reveal serious compliance issues.
  4. OCR should define metrics to evaluate whether its audits are improving cybersecurity protections with respect to audited organizations. These metrics should be periodically reviewed and refined.

Although OCR agreed with three (3) of the four (4) recommendations, it noted that limited funding and staffing resources remain significant obstacles to expanding its audit program. OCR also stated that the HIPAA audits are designed to be voluntary and intended to provide technical assistance rather than enforce corrections – and OCR expressed concerns that mandatory corrective actions could deter entities from participating in HIPAA audits.

The upcoming change in administration may further impact OCR’s ability and willingness to implement OIG’s recommended changes.

Implications for Healthcare Providers

As data breaches, ransomware attacks, and other similar incidents continue to rise, OIG’s report serves as a critical reminder of the importance of rigorous ePHI protections. Inadequate cybersecurity measures not only expose healthcare organizations to regulatory penalties but also jeopardize patient trust and safety.  And OIG’s report outlining the myriad deficiencies of OCR’s HIPAA audit program may motivate OCR to engage in increased enforcement activity in all aspects of HIPAA compliance.

Covered entities and business associates should take proactive steps to address potential cybersecurity vulnerabilities and strengthen HIPAA compliance and ePHI protections. Some key considerations include:

  1. Implement and maintain robust physical and technical measures, including data encryption, multi-factor authentication, intrusion detection systems, and network security measures.
  2. Regularly audit risks to ePHI across all areas, including administrative, physical, and technical safeguards under the Security Rule, and ensure that such audits address cybersecurity vulnerabilities, such as outdated software, insufficient encryption, and/or weak access controls or network security. OCR’s comprehensive audit protocol, last updated in July 2018, may be a helpful starting point, although updates to the protocol may be necessary to account for the several changes and developments in the interim.
  3. Establish (or review and update) their internal protocols in response to OIG’s recommendations and, further, to promptly address any deficiencies identified during any audits, and maintain detailed documentation of remediation efforts, such as an incident response plan and corrective action plans, to demonstrate compliance should OCR initiate its own audit, investigation, or review, and should leverage their audit findings to enhance their internal protocols. These protocols should include procedures for notifying affecting  individuals and reporting breaches to  OCR in compliance with the HIPAA Breach Notification Rule. Employees and staff should be educated on these internal protocols, and providers would be wise to conduct regular training sessions on identifying and mitigating cybersecurity threats, such as phishing attacks.
  4. Monitor updates to OCR’s audit program and enforcement priorities, including the potential expansions of its audit scope to cover additional HIPAA provisions as recommended by OIG, and anticipate heightened scrutiny of cybersecurity practices in light of rising threats.

By taking these steps, covered entities and business associates can strengthen their defenses against cybersecurity threats, ensure compliance with HIPAA requirements, and protect the sensitive health information of the patients they serve.

We Can Help

In an era of escalating cybersecurity threats, proactive compliance is more critical than ever. Let our team of experienced healthcare attorneys help you navigate the complexities of HIPAA regulations and safeguard your organization against potential risks.

Our firm has extensive experience advising health care providers on HIPAA compliance, cybersecurity, and data protection matters. We can counsel you with as to conducting risk assessments and designing and implementing internal controls and action plans to address compliance deficiencies, and advise you on best practices for HIPAA compliance, cybersecurity, and ePHI protection, and representation in the face of OCR audits or investigations.

This Alert provides an update on a legal development. It is not intended as legal advice. If you have questions about how these recommended changes may apply to your organization, contact a member of our Health Care Team: Forrest Campbell, Claire O’Brien, Mousa Alshanteer, and Kate Giduz.

Services

Jump to Page

This website uses cookies to enhance user experience and to analyze performance and traffic on our website. For more information on our cookie use, see our Privacy Policy.