Watchdog Report: HHS OCR Should Beef-Up HIPAA Audit Program

HHS OIG: Current Audit Program Is Not Pushing Entities Enough to Improve Cyber

The Department of Health and Human Services Office of the Inspector General just finished a report making a series of suggestions to the Office for Civil Rights regarding the focus and implementation of HIPAA audits in the near future.

The audit program has been dormant since 2020, but the HHS is restarting the program and toughening the scope of its audits.

The HHS Office of Inspector General recently issued a report that says that HHS OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits. But the last batch of so-called “desk audits” conducted in 2020 were inadequate.

“In many cases, OCR’s audit results demonstrated that the audited entities made negligible efforts to comply or did not provide evidence of a serious attempt to comply with the HIPAA Rules,” the report said.

HHS OIG made four recommendations to HHS OCR. Three of these recommendations are being implemented:

  • Expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the Security Rule;
  • Define and document criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review;
  • Define metrics for monitoring the effectiveness of OCR’s HIPAA audits at improving audited entities’ protections over ePHI and periodically review whether these metrics should be refined.

HHS OCR Director Melanie Fontes Rainer said the agency was planning to resume the audit program.

By the end of the year, HHS OCR also plans to publish a proposed update to the HIPAA Security Rule to better reflect the evolution of technology and healthcare delivery that’s occurred over the last two decades since the regulations were first issued.

HHS OCR Statement
“OCR will be initiating HIPAA Audits in the near future, and will seek to implement OIG’s recommendations,” the statement said.

“As the office responsible for enforcing and administering the HIPAA Rules, and with the exponential rise of cyberattacks in the health sector, OCR is committed to continue updating and rigorously enforcing the HIPAA Rules to protect the privacy and security of protected health information of patients and safeguard our national security in the health care system, including OCR’s plans to publish proposed changes to the HIPAA Security Rule next month,” HHS OCR said.

As audits come back, covered entities should ensure that they’re prepared for the possibility of being selected. Keeping an eye out for updated rules and how they’ll impact compliance is also recommended.

If you have questions about IT security and how it’s affecting the healthcare industry, call ITPAC today.