Hearken to the article
Dive Temporary:
The Workplace for Civil Rights, which oversees HIPAA enforcement, ought to enhance its program for auditing compliance with the privateness and safety regulation, in keeping with a report revealed Monday by the HHS’ Workplace of Inspector Common.
Although the OCR fulfilled its necessities to conduct periodic HIPAA audits, this system was too slender in scope to successfully assess organizations’ protections for well being knowledge and scale back dangers, in keeping with the OIG.
Total, the audits weren’t efficient at enhancing cybersecurity at healthcare corporations and their enterprise associates — a serious concern for regulators and lawmakers as cybercriminals more and more goal the business.
Dive Perception:
The report, which analyzed how OCR carried out its HIPAA audits from 2016 although 2020, discovered the company’s program assessed few of the regulation’s necessities.
The audits consisted of assessing solely eight of 180 HIPAA necessities, in keeping with the OIG. These eight necessities included appraising two administrative safeguards beneath HIPAA’s safety rule, which require coated entities to investigate and handle dangers to their protected well being info.
However the audits didn’t assess healthcare organizations’ use of bodily or technical safeguards for his or her knowledge, which intention to forestall unauthorized actors — like hackers — from getting access to their expertise programs and exposing protected knowledge, in keeping with the OIG.
“[…] Due to their slender scope, the HIPAA audits most certainly didn’t establish entities, equivalent to hospitals that didn’t implement the bodily and technical safeguards outlined within the Safety Rule to guard ePHI in opposition to widespread cybersecurity threats,” the watchdog wrote within the report.
The company’s audit program missed methods to handle noncompliance too, in keeping with the OIG. The OCR didn’t require audited corporations to implement corrective measures, and it hardly ever initiated further opinions when severe points have been discovered throughout audits.
The company additionally didn’t monitor outcomes from its audit program or doc the frequency of its audits as of 2020, in keeping with the report.
The watchdog advised OCR broaden the scope of its audit program, doc requirements to make sure corporations repair issues discovered throughout the assessments, outline standards for when the company ought to conduct compliance opinions and decide metrics to judge the effectiveness of HIPAA audits.
The OCR agreed with a lot of the suggestions, however added that the company has a small finances and hasn’t acquired extra sources funding and staffing to implement HIPAA.
The company’s finances held regular round $38 million from fiscal yr 2018 by way of 2020. In the meantime, OCR has acquired extra complaints and huge knowledge breach stories, and the variety of invesigative employees fell 30% from fiscal yr 2010 by way of 2023, OCR Director Melanie Fontes Rainer wrote to the OIG.
“The dearth of receipt of those requested further sources has resulted in much less employees and investigators to conduct HIPAA audits extra ceaselessly, bigger scale, or in better quantity as a result of a scarcity of ample funding to conduct all wanted operational actions,” she wrote.
The company didn’t agree with OIG’s advice to doc and implement requirements for making certain issues present in HIPAA audits are corrected. The OCR argued the regulation provides coated entities the choice to pay a civil financial penalty as a substitute of resolving an investigation with a corrective motion plan. The company added useful resource constraints forestall it from implementing corrective motion plans, and HIPAA audits intention to supply technical help fairly than challenge corrections.
