The auditors on the Division of Well being and Human Companies (HHS) Workplace for Civil Rights (OCR) received a style of their very own medication just lately, as an audit by the HHS Workplace of Inspector Normal discovered that OCR’s HIPAA audit implementation was too narrowly scoped to successfully assess digital protected well being info (ePHI) protections and show a discount of dangers throughout the healthcare sector.
In its report back to Congress for calendar 12 months 2022, OCR said that it obtained 64,592 reported breaches affecting 42 million people and that almost all of the safety incidents related to these reported breaches had been associated to the hacking of well being care suppliers. The report additionally said that, between 2018 and 2022, the variety of reported breaches elevated.
In its report, OIG said that the rise within the variety of profitable cyberattacks towards healthcare entities’ IT techniques raised the query of whether or not OCR’s audits, steering, and enforcement actions for guaranteeing the safety of ePHI have been efficient.
OIG discovered that OCR’s audits consisted of assessing solely eight of 180 HIPAA Guidelines necessities; and solely two of these eight necessities had been associated to Safety Rule administrative safeguards and none had been associated to bodily and technical safety safeguards.
The report additionally mentioned that OCR oversight of its HIPAA audit program was not efficient at enhancing cybersecurity protections at lined entities and enterprise associates.
OIG made a sequence of suggestions to OCR to boost its HIPAA audit program, together with that it broaden the scope of its HIPAA audits to evaluate compliance with bodily and technical safeguards from the HIPAA Safety Rule, doc and implement requirements and steering for guaranteeing that deficiencies recognized throughout the HIPAA audits are corrected in a well timed method, and outline metrics for monitoring the effectiveness of OCR’s HIPAA audits at enhancing audited lined entities and enterprise associates’ protections over ePHI and periodically overview whether or not these metrics ought to be refined. The total suggestions are within the report.
OCR concurred with three of the suggestions and detailed steps it has taken and plans to soak up response. However OCR said that, underneath the HITECH Act, entities can select to pay civil cash penalties as an alternative of addressing HIPAA deficiencies via corrective motion plans and can’t be compelled to signal decision agreements or promptly right points.
OCR indicated that it has requested laws from Congress to authorize it to hunt injunctive reduction, which might allow OCR to collaborate with the Division of Justice to pursue cures in federal court docket to safe compliance with the HIPAA Guidelines.
Additional, OCR said that it doesn’t have the monetary or employees assets to pursue corrective motion plans or penalties for each entity with HIPAA deficiencies and said that the method of negotiating decision and initiating formal enforcement actions is resource-intensive and would hinder different important investigations.
OCR additionally said that HIPAA audits had been designed to be voluntary and supposed to supply technical help moderately than implement corrections. OCR said that imposing necessities for audited entities to right deficiencies in a well timed method might discourage entities from collaborating in HIPAA audits. Lastly, OCR said that it agrees with implementing standards for follow-up compliance critiques; nonetheless, it famous that entities would nonetheless have the choice to pay a civil cash penalty moderately than correcting deficiencies.
In response, OIG acknowledged that OCR faces vital challenges in managing the HIPAA Guidelines, which can restrict its means to implement further compliance instruments. “We encourage OCR to proceed to request the mandatory funding, personnel, and different assets it must conduct its HIPAA audits and implement the HIPAA Guidelines, particularly because the variety of cybersecurity and privateness threats proceed to extend. We stay involved that OCR’s HIPAA audits, as applied, don’t present assurance that audited entities are complying with the HIPAA Guidelines necessities,” the report said.
OIG acknowledged that OCR selected to make participation in HIPAA audits voluntary; nonetheless, it disagreed with OCR’s interpretation of the potential impact of civil cash penalties. The first objective of those audits is for OCR to make sure that entities adjust to HIPAA rules to guard the privateness and safety of protected well being info (PHI).
Moreover, OIG said that though the HITECH Act doesn’t specify that entities should resolve HIPAA audit deficiencies, OCR’s response omitted that entities nonetheless must adjust to the HIPAA Guidelines and that civil cash penalties funds don’t relieve entities from compliance. Even after a civil cash penalty is imposed, the entity would wish to take vital steps to right the unresolved, recognized deficiencies to be in compliance with the HIPAA Guidelines. Due to this fact, entities should tackle any vital deficiencies OCR recognized within the audits. OIG maintained the validity of its suggestion to OCR to doc and implement requirements and steering for guaranteeing that deficiencies recognized throughout HIPAA audits are corrected in a well timed method to guard PHI.
