OIG Audit Reveals Gaps in OCR’s HIPAA Audit Program
Alliance Daily
On November 25, 2024, the U.S. Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) published findings from an audit of the Office for Civil Rights’ (OCR) HIPAA Audit Program. The report highlights significant shortcomings in OCR’s implementation and oversight of the program, raising concerns about the protection of electronic protected health information (ePHI) in the face of escalating cyber threats.
The healthcare industry has experienced an alarming rise in cyberattacks, including ransomware and data breaches, in recent years. According to OCR’s annual reports, reported breaches affecting 500 or more individuals increased by 87% between 2016 and 2022. In 2023 alone, hacking incidents accounted for 77% of reported breaches, exposing the data of over 88 million individuals. These attacks can jeopardize sensitive health information, disrupt operations, and pose risks to patient care and safety. For example, a recent data breach involving a subcontractor for the Centers for Medicare & Medicaid Services (CMS) potentially exposed the personal and health information of over 900,000 Medicare beneficiaries, highlighting the vulnerability these data breaches pose to ePHI privacy protections.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required HHS to establish national standards for the use and dissemination of healthcare information, including for the protection of ePHI. The Health Information Technology for Economic and Clinical Health (HITECH) Act required, among other things, HHS to perform periodic audits, known as HIPAA audits, of covered entities and business associates to ensure compliance with HIPAA requirements. These audits, conducted through OCR’s HIPAA Audit Program, aim to ensure compliance with HIPAA rules, particularly amid rising cybersecurity risks in the healthcare sector.
The OIG reviewed OCR’s administration of its HIPAA Audit Program from January 16 to December 2020, which included an examination of 30 of the 207 final HIPAA audit reports and related documents produced by the agency during that period. The OIG found that although OCR fulfilled its requirement to perform HIPAA audits pursuant to the HITECH Act, these audits were limited in scope, and coupled with a lack of follow-up on serious compliance issues, raised questions about the program’s efficacy.
The OIG noted the following in its report:
- Inadequate Audit Scope: The OIG observed that in 2016 and 2017, OCR’s HIPAA Audit Program conducted desk audits of selected entities, assessing only 8 of the 180 requirements outlined in its comprehensive audit protocol, with a focus on only two Security Rule administrative safeguards and no evaluation of physical or technical security safeguards. The OIG noted that although these safeguards were identified as risk areas in a 2012 OCR audit, the assessment of these two safeguards alone is insufficient to assess security risks within the healthcare sector and determine ePHI protection effectiveness. Moreover, the OIG found that due to the HIPAA audits’ limited scope, they likely failed to identify entities that had not implemented the physical and technical safeguards indicated in the HIPAA Security Rule to protect ePHI from common cybersecurity threats.
- Insufficient Oversight and Follow-Up: The OIG found that OCR’s oversight of its HIPAA Audit Program was not likely to effectively improve covered entities’ cybersecurity protections. Particularly, the OIG found that OCR did not require entities to implement corrective actions for deficiencies identified during audits, raising concerns about the absence of any elements in OCR’s HIPAA audits program to address and monitor HIPAA Rules compliance. Further, OCR did not define how it would initiate compliance reviews for serious violations, resulting in potential missed opportunities to ensure its audit program was effective in helping protect ePHI information and improving entities’ cybersecurity threat preparedness.
- Resource Limitations and Audit Frequency: OCR cited financial and staffing constraints as barriers to expanding the audit scope and enforcing corrective actions, and although it has requested additional appropriations, these efforts have not been successful. Further, since 2017, OCR has not conducted any new HIPAA audits, potentially missing an opportunity to identify audited entities’ noncompliance with HIPAA rules.
The OIG issued several recommendations to OCR:
- Expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the Security Rule;
- document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner;
- define and document criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review; and
- define metrics for monitoring the effectiveness of OCR’s HIPAA audits at improving audited entities’ protections over ePHI and periodically review whether these metrics should be refined.
OCR concurred with the first, third, and fourth recommendations, agreeing to enhance audit scope (provided the agency receives appropriate funding) and focus future audits on a variety of factors, establish follow-up criteria, and develop program metrics. However, OCR did not concur with the second recommendation, citing limitations under the HITECH Act and concerns about deterring voluntary audit participation.[1]
The findings highlight a need for healthcare providers, including those delivering care in the home, to proactively address cybersecurity risks and strengthen HIPAA compliance efforts. As OCR addresses the report’s recommendations, healthcare providers must remain vigilant in their compliance efforts amid an evolving cybersecurity landscape.
[1] OCR indicated it has sought legislation from Congress to grant it authority to seek injunctive relief, allowing collaboration with the Department of Justice to pursue remedies in federal court to enforce compliance with HIPAA Rules. |
If My Dying Daughter Could Face Her Mortality, Why Couldn’t the Rest of Us?
The New York Times | By Sarah Wildman
The first week of March 2022, I flew to Miami with my 13-year-old daughter, Orli; her 8-year-old sister, Hana; and my partner, Ian. We were, by all appearances, healthy. Robust, even.
In reality, we were at the end of a reprieve. Orli’s liver cancer had by then been assaulted by two years of treatments — chemotherapy, a liver transplant, more chemotherapy, seven surgeries. Now new metastases lit up a corner of one lung on scans, asymptomatic but foreboding. We asked her medical team if we might show her a bit of the world before more procedures. Our oncologist balked. Hence, this brief weekend away.
When we arrived at the beach Orli ran directly to the water, then came back and stretched out on a lounge chair. She turned to me and asked, “What if this is the best I ever feel again?”
Three hundred and seventy-six days later, she was dead.
In the time since she left us, I have thought often of Orli’s question. All that spring, Orli asked, pointedly, why did we think a cure was still possible, that cancer would not continue to return? Left unspoken: Was she going to die from her disease? It was a conversation she wanted to have. And yet what we found over the wild course of her illness was that such conversations are often discouraged, in the doctor’s office and outside it.
What would it have meant for Orli’s last year if her medical team had encouraged us to meet her where she was? What if we lived in a society that was able to sit with the anguish that arises for very sick children and their families? In other words: What if we were presented with something other than relentless hope? If we had been asked to really consider that Orli’s time on earth was limited, how would we have used that time?
Americans — really, Westerners — are terrified of death. We shy away from it. Death is a problem to solve, not an inevitable part of life. As the grief therapist David Kessler pointed out to me, we once visited the dead in the front parlors of private homes. Now the dead are tucked out of sight, handled by others. A bereaved family is the locus of nightmares rather than the focus of shared support.
Nowhere is this more true than with the prospect of a child’s death. Death from illness is seen as aberrant, unusual, terrifying. Death from war, gun violence, abuse is lamentable, awful — separate. Healthy children and teens are largely shielded from the critically ill. Visiting the sick, let alone the dying, is associated with the aged and infirm; a charitable act, but not integrated into our ethos. Clergy members are overburdened. Death in America is a whisper, a shame, an error. Supporting a family through the end of life is delicate. For a child, it is also obscene…
Read Full Article |
A Stroke Changed a Teacher's Life: How a New Electrical Device is Helping Her Move
Miami Herald | By Michelle Marchante
As her students finished their online exam, Arlet Lara got up to make a cafe con leche.
Her 16-year-old son found her on the kitchen floor. First, he called Dad in a panic. Then 911.
"I had a stroke and my life made a 180-degree turn," Lara told the Miami Herald, recalling the medical scare she experienced in May 2020 in the early months of the COVID pandemic.
"The stroke affected my left side of the body," the North Miami woman and former high school math teacher said.
Lara, an avid runner and gym goer, couldn't even walk.
"It was hard," the 50-year-old mom said.
After years of rehabilitation therapy and foot surgery, Lara can walk again. But she still struggles with moving.
This summer, she became the first patient in South Florida to get an implant of a new and only FDA-approved nerve stimulation device designed to help ischemic stroke survivors regain movement in their arms and hands.
This first procedure was at Jackson Memorial Hospital in Miami. Lara's rehab was at the Christine E. Lynn Rehabilitation Center for The Miami Project to Cure Paralysis, part of a partnership between Jackson Health System and UHealth.
Every year, thousands in the United States have a stroke, with one occurring every 40 seconds, according to the U.S. Centers for Disease Control and Prevention. The majority of strokes are ischemic, often caused by blood clots that obstruct blood flow to the brain.
For survivors, most of whom are left with some level of disability, the Vivistim Paired VNS System, the device implanted in Lara's chest, could be a game changer in recovery, said Dr. Robert Starke, a UHealth neurosurgeon and interventional neuroradiologist. He also serves as co-director of endovascular neurosurgery at Jackson Memorial Hospital, part of Miami-Dade's public hospital system…
Read Full Article |
Wearable Devices for Parkinson’s Disease: The Future Is Here
Medscape | By Patrice Wendling
Less than a decade ago, the use of wearable devices in Parkinson’s disease (PD) was considered futuristic. Today, there’s an array of innovative tools from commercial activity trackers to tremor suppression gloves and laser-guided walking sticks to help manage the highly variable and fluctuating symptoms of PD.
“Over the past 5 years, the landscape of wearable technology for Parkinson’s monitoring has transformed remarkably,” Roongroj Bhidayasiri, MD, co-chair of the International Parkinson and Movement Disorder Society’s (MDS’s) Technology Study Group, told Medscape Medical News.
Advances in sensor technology, data analytics, and machine learning have significantly enhanced the precision and usability of wearable devices, he noted. They now offer continuous, real-time monitoring of both motor and nonmotor symptoms, which supports personalized treatment plans and more accurate tracking of disease progression.
Additionally, the integration of artificial intelligence analytics facilitates more comprehensive data analysis, whereas integration with mobile applications enhances patient engagement and data sharing with providers, said Bhidayasiri, director, Chulalongkorn Center of Excellence for Parkinson’s Disease & Related Disorders, and professor of neurology, Chulalongkorn University, Bangkok, Thailand.
“These technological advancements have cemented wearables as invaluable tools in the efficient and responsive management of PD within neurology care models,” he added.
Andrea Pilotto, MD, fellow MDS Technology Study Group co-chair and associate professor of neurology, University of Brescia, Brescia, Italy, pointed out that recent advances have improved the ability to capture subtle motor deficits that appear years before a clinical diagnosis of PD and add granularity to office assessments and patient home diaries.
“For sure, patient-reported outcomes are important, but we know that a large percentage of patients, especially with motor fluctuations, are not clearly aware of their symptoms or misjudge their symptoms,” he said in an interview.
The focus of wearable sensors is also shifting from its hallmark motor symptoms to monitoring nonmotor features of PD, which can vary throughout the day and influence motor measurements and therapeutic choices.
“We are now realizing the potential of wearables to begin to address anxiety, sleep, depression, and other nonmotor symptoms,” Michael S. Okun, MD, medical advisor, Parkinson’s Foundation, and director, Norman Fixel Institute for Neurological Diseases, University of Florida Health, Gainesville, Florida, told Medscape Medical News.
“This could be a game changer as nonmotor symptoms in many studies are more important than the motor symptoms in impacting quality of life,” he added…
Read Full Article |
|
|