Office of Inspector General (OIG) Finds HIPAA Oversight Ineffective

The bottom line- healthcare providers should expect increased HIPAA oversight from the government.? This will include an enhanced HIPAA audit program focusing on cybersecurity as a result of a recent OIG audit.

The increase in the number of successful cyberattacks against health care entities’ information technology (IT) systems raises the question of whether Office for Civil Rights’ (OCR) audits, guidance, and enforcement activities for ensuring the protection of electronic protected health information (ePHI) have been effective.

OCR is the government HIPAA enforcement agency, but the OIG is the government watch-dog and launched an audit of OCR’s effectiveness.? The OIG has released a new audit report A-18-21-08014 this month in review of the OCR HIPAA audit program at securing electronic protected health information (ePHI). ?

The OIG found that OCR fulfilled its requirement under the Health Information Technology for Economic and Clinical Health (HITECH) Act to perform periodic HIPAA audits. The OIG report states that OCR originally planned to include in its audit program

(1) over 200 desk audits that would evaluate entities’ compliance with selected HIPAA Rules requirements and

(2) a smaller number of comprehensive on-site audits that would evaluate entities against a comprehensive set of HIPAA compliance provisions.

The report also states that OCR intended to use its HIPAA audits to identify promising practices for protecting the privacy and security of health information and discover risks and vulnerabilities that may not have been revealed by OCR’s enforcement activities. However, as of June 2024, OCR had completed only the desk audits and, in its report to Congress for calendar year 2022 (issued in 2024), OCR reported that it has not initiated any additional audits due to a lack of financial resources.

OIG’s report also states the following:

• OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess ePHI protections and demonstrate a reduction of risks within the health care sector. Specifically: OCR’s audits consisted of assessing only 8 of 180 HIPAA Rules requirements; and Only 2 of those 8 requirements were related to Security Rule administrative safeguards and none were related to physical and technical security safeguards.

• OCR oversight of its HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates.

The OIG’s recommendations for OCR include insight on the expanding the scope of its HIPAA audit and guidance for resolving deficiencies in compliance. Amid heightened data breaches, this report further underscores critical need for the effective enforcement of HIPAA.??

https://oig.hhs.gov/documents/audit/10065/A-18-21-08014.pdf