In examining how the Office of Civil Rights conducted its periodic audit program for the Health Insurance Portability and Accountability Act from January 2016 through December 2020, the Office of Inspector General of the U.S. Department of Health and Human Services found that OCR was largely ineffective in preventing health information breaches, a new report suggests.
After reviewing OCR’s program for conducting periodic HIPAA audits, OIG recommended expanding the scope to better meet the requirements of the HITECH Act of 2009, which extended criminal and civil penalties to covered business associates covered entities.
WHY IT’S IMPORTANT
Although OCR complied with the requirement under the HITECH Act to conduct periodic HIPAA audits, its analyzes were too narrowly focused on assessing physical and technical security safeguards, OIG concluded in its report. report released Friday.
“OCR oversight of its HIPAA audit program was likely ineffective in improving entity cybersecurity,” OIG said in its findings.
The watchdog agency audited how OCR conducted its HIPAA audit program, reviewing 30 of the 207 final HIPAA audit reports and related documents produced by OCR between 2016 and 2020.
When OCR conducted a HIPAA audit during that period, it reviewed eight of the 180 requirements of the HIPAA rules. OIG said that while two of these eight requirements were related to administrative security measures under the security rules – security risk analysis and risk management – none were related to physical and technical security safeguards.
The lack of knowledge about security flaws in OCR’s audit program goes back more than a decade, OIG notes in the new report.
Healthcare organizations and business associates had difficulty implementing the administrative safeguards required by the HIPAA Security Rule, OCR concluded after conducting HIPAA audits in 2012, OIG noted.
“However, assessing two administrative security requirements is generally not sufficient to assess the risk within the healthcare industry and to determine the effectiveness of the (electronic protected health information) security measures that should be in place as required by the (HIPAA) Security Rule ” said OIG.
Although OCR conducted the required audits, organizations were able to get by without fully complying with HIPAA security requirements.
“Additionally, due to their limited scope, the HIPAA audits most likely did not identify entities, such as hospitals, that have not implemented the physical and technical safeguards defined in the Security Rule to protect ePHI from common cybersecurity threats,” OIG said.
The watchdog agency said before this latest audit of OCR’s HIPAA audit program, its team reviewed the regulatory requirements in HITECH, the HIPAA enforcement rules, OCR’s policies and procedures for implementing HITECH requirements and enforcing HIPAA rules, the HIPAA -reviewed the agency’s compliance reports to Congress and its enforcement. cyber-related guidance the agency provided to the health care industry from 2016 to 2020.
OIG has recommended that OCR:
- Expand the scope of its HIPAA audits to assess compliance with the security rule’s physical and technical safeguards.
- Document and implement standards and guidelines to ensure that deficiencies identified during HIPAA audits are corrected in a timely manner – where the agency disagreed.
- Define and document criteria to determine whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review.
- Define metrics to monitor the effectiveness of OCR’s HIPAA audits in improving the protection of audited entities against ePHI and periodically assess whether these metrics need to be refined.
Where OCR agreed with three recommendations, the agency provided OIG with the detailed steps it has taken and plans to take in response, according to an HHS statement.
It involves police oversight when healthcare organizations correct deficiencies discovered during HIPAA audits. OCR noted in its response to the new efficacy assessment that “HIPAA audits were intended to be voluntary and were intended to provide technical assistance rather than enforce corrections,” according to OIG.
“OCR stated that under the HITECH Act, entities may choose to pay civil penalties rather than address HIPAA deficiencies through corrective action plans and cannot be forced to sign resolution agreements or immediately correct problems,” OIG added to it.
The cost of OCR security audit penalties is high and healthcare organizations are interested in taking steps to avoid them.
As the HIPAA auditor for the federal government, OCR told OIG that it has called on lawmakers to authorize it to seek injunctive relief, “which would allow OCR to work with the Department of Justice to file in federal court pursue legal remedies to ensure compliance with the HIPAA Rules.”
THE BIG TREND
HHS developed national standards for the use and dissemination of health care information, including standards to protect ePHI under HIPAA – the Privacy Rule, Security Rule, and the Breach Notification Rule – and in August 2009 delegated to OCR the authority to implement the Privacy Rule and to enforce. imposing civil penalties for non-compliance.
OCR tested its audit program in 2011, and OIG said its 2013 review of the audit program found that while OCR met some federal requirements related to the oversight and enforcement of the HIPAA Security Rule, it had limited assurance that the covered entities complied with the security rule.
At the time, OIG recommended that the agency strengthen its periodic audits under the HITECH Act to ensure entities are in compliance with the HIPAA Security Rule.
In 2016, during the second wave of HIPAA audits, OCR announced that it would conduct on-site HIPAA audits of hospitals the following year.
“We are looking for evidence that you are implementing the policies and procedures,” said OCR Senior Advisor Linda Sanches at the 2016 HIMSS and Healthcare IT News Privacy & Security Forum.
“Two big problems we see are the implementation of risk analysis and risk management.”
When OCR investigations revealed long-term, systematic noncompliance with the HIPAA security rule that led to massive PHI breaches, the company imposed millions in fines.
In its assessment of the HIPAA audit program, OCR reiterated something it has said many times:
“It does not have the financial or human resources to pursue corrective action plans or sanctions against every entity with HIPAA deficiencies,” as negotiating a resolution and initiating formal enforcement actions is resource-intensive, OIG noted.
In October, HHS submitted proposed changes to the HIPAA security rule to strengthen ePHI cybersecurity to the Office of Information and Regulatory Affairs. Once the White House reviews the proposal, HHS may release a notice of proposed rulemaking for public comment.
“These changes will improve cybersecurity in the healthcare industry by strengthening the requirements for HIPAA regulated entities to protect (ePHI) to prevent, detect, control, mitigate, and recover from cybersecurity threats,” OCR said in the executive summary proposal.
The agency expects to publish the proposed rule next month, OCR told us Healthcare IT news by email when HIPAA security rule changes are submitted.
The American Hospital Association and other organizations have pushed back on HHS proposals that would impose cybersecurity requirements and punish hospitals for cyberattacks.
ON THE RECORD
“For example, OCR did not require audited entities to respond to deficiencies by implementing corrective actions and confirming implementation,” OIG said in its findings.
“Additionally, OCR failed to monitor the results of the HIPAA audit program. This occurred because OCR lacked a documented process and procedures for performing these audit steps, including for resolving identified deficiencies in a timely manner,” the watchdog agency continued.
“Without responses from entities, OCR has no commitment that corrective actions have been or will be implemented to address deficiencies that, if left unaddressed, could impact patient data, care and safety.”