The auditors on the Division of Well being and Human Providers (HHS) Workplace for Civil Rights (OCR) received a style of their very own drugs lately, as an audit by the HHS Workplace of Inspector Basic discovered that OCR’s HIPAA audit implementation was too narrowly scoped to successfully assess digital protected well being info (ePHI) protections and display a discount of dangers throughout the healthcare sector.
In its report back to Congress for calendar yr 2022, OCR said that it obtained 64,592 reported breaches affecting 42 million people and that almost all of the safety incidents related to these reported breaches have been associated to the hacking of well being care suppliers. The report additionally said that, between 2018 and 2022, the variety of reported breaches elevated.
In its report, OIG said that the rise within the variety of profitable cyberattacks towards healthcare entities’ IT techniques raised the query of whether or not OCR’s audits, steerage, and enforcement actions for making certain the safety of ePHI have been efficient.Â
OIG discovered that OCR’s audits consisted of assessing solely eight of 180 HIPAA Guidelines necessities; and solely two of these eight necessities have been associated to Safety Rule administrative safeguards and none have been associated to bodily and technical safety safeguards.
The report additionally stated that OCR oversight of its HIPAA audit program was not efficient at bettering cybersecurity protections at coated entities and enterprise associates.
OIG made a collection of suggestions to OCR to reinforce its HIPAA audit program, together with that it broaden the scope of its HIPAA audits to evaluate compliance with bodily and technical safeguards from the HIPAA Safety Rule, doc and implement requirements and steerage for making certain that deficiencies recognized throughout the HIPAA audits are corrected in a well timed method, and outline metrics for monitoring the effectiveness of OCR’s HIPAA audits at bettering audited coated entities and enterprise associates’ protections over ePHI and periodically overview whether or not these metrics ought to be refined. The complete suggestions are within the report.
OCR concurred with three of the suggestions and detailed steps it has taken and plans to soak up response. However OCR said that, underneath the HITECH Act, entities can select to pay civil cash penalties as a substitute of addressing HIPAA deficiencies by corrective motion plans and can’t be compelled to signal decision agreements or promptly right points.Â
OCR indicated that it has requested laws from Congress to authorize it to hunt injunctive reduction, which might allow OCR to collaborate with the Division of Justice to pursue cures in federal court docket to safe compliance with the HIPAA Guidelines.Â
Additional, OCR said that it doesn’t have the monetary or workers sources to pursue corrective motion plans or penalties for each entity with HIPAA deficiencies and said that the method of negotiating decision and initiating formal enforcement actions is resource-intensive and would hinder different important investigations.Â
OCR additionally said that HIPAA audits have been designed to be voluntary and meant to supply technical help reasonably than implement corrections. OCR said that imposing necessities for audited entities to right deficiencies in a well timed method might discourage entities from taking part in HIPAA audits. Lastly, OCR said that it agrees with implementing standards for follow-up compliance opinions; nevertheless, it famous that entities would nonetheless have the choice to pay a civil cash penalty reasonably than correcting deficiencies.
In response, OIG acknowledged that OCR faces vital challenges in managing the HIPAA Guidelines, which can restrict its potential to implement extra compliance instruments. “We encourage OCR to proceed to request the mandatory funding, personnel, and different sources it must conduct its HIPAA audits and implement the HIPAA Guidelines, particularly because the variety of cybersecurity and privateness threats proceed to extend. We stay involved that OCR’s HIPAA audits, as applied, don’t present assurance that audited entities are complying with the HIPAA Guidelines necessities,” the report said.
OIG acknowledged that OCR selected to make participation in HIPAA audits voluntary; nevertheless, it disagreed with OCR’s interpretation of the potential impact of civil cash penalties. The first purpose of those audits is for OCR to make sure that entities adjust to HIPAA laws to guard the privateness and safety of protected well being info (PHI).
Moreover, OIG said that though the HITECH Act doesn’t specify that entities should resolve HIPAA audit deficiencies, OCR’s response omitted that entities nonetheless should adjust to the HIPAA Guidelines and that civil cash penalties funds don’t relieve entities from compliance. Even after a civil cash penalty is imposed, the entity would want to take mandatory steps to right the unresolved, recognized deficiencies to be in compliance with the HIPAA Guidelines. Due to this fact, entities should tackle any vital deficiencies OCR recognized within the audits. OIG maintained the validity of its advice to OCR to doc and implement requirements and steerage for making certain that deficiencies recognized throughout HIPAA audits are corrected in a well timed method to guard PHI.Â
Â