OIG: Office for Civil Rights Should Enhance Its HIPAA Audit Program

The auditors at the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) got a taste of their own medicine recently, as an audit by the HHS Office of Inspector General found that OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess electronic protected health information (ePHI) protections and demonstrate a reduction of risks within the healthcare sector.

In its report to Congress for calendar year 2022, OCR stated that it received 64,592 reported breaches affecting 42 million individuals and that the majority of the security incidents associated with these reported breaches were related to the hacking of health care providers. The report also stated that, between 2018 and 2022, the number of reported breaches increased.

In its report, OIG stated that the increase in the number of successful cyberattacks against healthcare entities’ IT systems raised the question of whether OCR's audits, guidance, and enforcement activities for ensuring the protection of ePHI have been effective. 

OIG found that OCR’s audits consisted of assessing only eight of 180 HIPAA Rules requirements; and only two of those eight requirements were related to Security Rule administrative safeguards and none were related to physical and technical security safeguards.

The report also said that OCR oversight of its HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates.

OIG made a series of recommendations to OCR to enhance its HIPAA audit program, including that it expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the HIPAA Security Rule, document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner, and define metrics for monitoring the effectiveness of OCR’s HIPAA audits at improving audited covered entities and business associates’ protections over ePHI and periodically review whether these metrics should be refined. The full recommendations are in the report.

OCR concurred with three of the recommendations and detailed steps it has taken and plans to take in response. But OCR stated that, under the HITECH Act, entities can choose to pay civil money penalties instead of addressing HIPAA deficiencies through corrective action plans and cannot be compelled to sign resolution agreements or promptly correct issues. 

OCR indicated that it has requested legislation from Congress to authorize it to seek injunctive relief, which would enable OCR to collaborate with the Department of Justice to pursue remedies in federal court to secure compliance with the HIPAA Rules. 

Further, OCR stated that it does not have the financial or staff resources to pursue corrective action plans or penalties for every entity with HIPAA deficiencies and stated that the process of negotiating resolution and initiating formal enforcement actions is resource-intensive and would hinder other essential investigations. 

OCR also stated that HIPAA audits were designed to be voluntary and intended to provide technical assistance rather than enforce corrections. OCR stated that imposing requirements for audited entities to correct deficiencies in a timely manner could discourage entities from participating in HIPAA audits. Finally, OCR stated that it agrees with implementing criteria for follow-up compliance reviews; however, it noted that entities would still have the option to pay a civil money penalty rather than correcting deficiencies.

In response, OIG acknowledged that OCR faces significant challenges in managing the HIPAA Rules, which may limit its ability to implement additional compliance tools. “We encourage OCR to continue to request the necessary funding, personnel, and other resources it needs to conduct its HIPAA audits and enforce the HIPAA Rules, especially as the number of cybersecurity and privacy threats continue to increase. We remain concerned that OCR’s HIPAA audits, as implemented, do not provide assurance that audited entities are complying with the HIPAA Rules requirements," the report stated.

OIG acknowledged that OCR chose to make participation in HIPAA audits voluntary; however, it disagreed with OCR’s interpretation of the potential effect of civil money penalties. The primary goal of these audits is for OCR to ensure that entities comply with HIPAA regulations to protect the privacy and security of protected health information (PHI).

Furthermore, OIG stated that although the HITECH Act does not specify that entities must resolve HIPAA audit deficiencies, OCR’s response omitted that entities still have to comply with the HIPAA Rules and that civil money penalties payments do not relieve entities from compliance. Even after a civil money penalty is imposed, the entity would need to take necessary steps to correct the unresolved, identified deficiencies to be in compliance with the HIPAA Rules. Therefore, entities must address any significant deficiencies OCR identified in the audits. OIG maintained the validity of its recommendation to OCR to document and implement standards and guidance for ensuring that deficiencies identified during HIPAA audits are corrected in a timely manner to protect PHI.