OIG Audit Reveals Gaps in OCR’s HIPAA Audit Program

Alliance Daily

On November 25, 2024, the U.S. Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) published findings from an audit of the Office for Civil Rights’ (OCR) HIPAA Audit Program. The report highlights significant shortcomings in OCR’s implementation and oversight of the program, raising concerns about the protection of electronic protected health information (ePHI) in the face of escalating cyber threats.

The healthcare industry has experienced an alarming rise in cyberattacks, including ransomware and data breaches, in recent years. According to OCR’s annual reports, reported breaches affecting 500 or more individuals increased by 87% between 2016 and 2022. In 2023 alone, hacking incidents accounted for 77% of reported breaches, exposing the data of over 88 million individuals. These attacks can jeopardize sensitive health information, disrupt operations, and pose risks to patient care and safety. For example, a recent data breach involving a subcontractor for the Centers for Medicare & Medicaid Services (CMS) potentially exposed the personal and health information of over 900,000 Medicare beneficiaries, highlighting the vulnerability these data breaches pose to ePHI privacy protections.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required HHS to establish national standards for the use and dissemination of healthcare information, including for the protection of ePHI. The Health Information Technology for Economic and Clinical Health (HITECH) Act required, among other things, HHS to perform periodic audits, known as HIPAA audits, of covered entities and business associates to ensure compliance with HIPAA requirements. These audits, conducted through OCR’s HIPAA Audit Program, aim to ensure compliance with HIPAA rules, particularly amid rising cybersecurity risks in the healthcare sector.

The OIG reviewed OCR’s administration of its HIPAA Audit Program from January 16 to December 2020, which included an examination of 30 of the 207 final HIPAA audit reports and related documents produced by the agency during that period. The OIG found that although OCR fulfilled its requirement to perform HIPAA audits pursuant to the HITECH Act, these audits were limited in scope, and coupled with a lack of follow-up on serious compliance issues, raised questions about the program’s efficacy.

The OIG noted the following in its report:

1. Inadequate Audit Scope: The OIG observed that in 2016 and 2017, OCR’s HIPAA Audit Program conducted desk audits of selected entities, assessing only 8 of the 180 requirements outlined in its comprehensive audit protocol, with a focus on only two Security Rule administrative safeguards and no evaluation of physical or technical security safeguards. The OIG noted that although these safeguards were identified as risk areas in a 2012 OCR audit, the assessment of these two safeguards alone is insufficient to assess security risks within the healthcare sector and determine ePHI protection effectiveness. Moreover, the OIG found that due to the HIPAA audits’ limited scope, they likely failed to identify entities that had not implemented the physical and technical safeguards indicated in the HIPAA Security Rule to protect ePHI from common cybersecurity threats.

2. Insufficient Oversight and Follow-Up: The OIG found that OCR’s oversight of its HIPAA Audit Program was not likely to effectively improve covered entities’ cybersecurity protections. Particularly, the OIG found that OCR did not require entities to implement corrective actions for deficiencies identified during audits, raising concerns about the absence of any elements in OCR’s HIPAA audits program to address and monitor HIPAA Rules compliance. Further, OCR did not define how it would initiate compliance reviews for serious violations, resulting in potential missed opportunities to ensure its audit program was effective in helping protect ePHI information and improving entities’ cybersecurity threat preparedness.
3. Resource Limitations and Audit Frequency: OCR cited financial and staffing constraints as barriers to expanding the audit scope and enforcing corrective actions, and although it has requested additional appropriations, these efforts have not been successful. Further, since 2017, OCR has not conducted any new HIPAA audits, potentially missing an opportunity to identify audited entities’ noncompliance with HIPAA rules.

The OIG issued several recommendations to OCR:

1. Expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the Security Rule;
2. document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner;
3. define and document criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review; and
4. define metrics for monitoring the effectiveness of OCR’s HIPAA audits at improving audited entities’ protections over ePHI and periodically review whether these metrics should be refined.

OCR concurred with the first, third, and fourth recommendations, agreeing to enhance audit scope (provided the agency receives appropriate funding) and focus future audits on a variety of factors, establish follow-up criteria, and develop program metrics. However, OCR did not concur with the second recommendation, citing limitations under the HITECH Act and concerns about deterring voluntary audit participation.[1]

The findings highlight a need for healthcare providers, including those delivering care in the home, to proactively address cybersecurity risks and strengthen HIPAA compliance efforts. As OCR addresses the report’s recommendations, healthcare providers must remain vigilant in their compliance efforts amid an evolving cybersecurity landscape.

[1] OCR indicated it has sought legislation from Congress to grant it authority to seek injunctive relief, allowing collaboration with the Department of Justice to pursue remedies in federal court to enforce compliance with HIPAA Rules.