Cyberattacks against healthcare organizations are increasing, and too many are successful. Can this trend be reversed?

The HHS Office of Inspector General (OIG) believes that HIPAA audits will spur more substantial compliance and better cybersecurity measures to protect patient information. Last week, the OIG issued a report calling for a more vigorous HIPAA audit program to assess compliance with the HIPAA Security Rule, among other things.

HIPAA Audits History

The Office for Civil Rights (OCR) has been required to conduct HIPAA audits since 2009 when Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act. The audits ensure that covered entities and business associates follow mandated actions to reduce cybersecurity risk.

In response to HITECH, OCR began the first HIPAA audit program in 2011. These Phase 1 audits happened in 2011-2012.

The next round of Phase 2 audits was completed in 2017. During this phase, OCR discovered widespread compliance deficiencies among both covered entities and business associates. HHS described the critical areas of noncompliance in its December 2020 HIPAA Audits Report.

Generally, covered entities did not comply with the individual right of access requirements and content of breach notification provisions. The report also explained that covered entities were not following HIPAA’s risk analysis and risk management requirements.

Covered entities demonstrated compliance in only two of the seven areas audited: (1) timeliness of breach notification and (2) prominent posting of the Notice of Privacy Practices on their websites.

Watchdog OIG Oversees HHS Functions

The Office of Inspector General of HHS was established in 1976 to fight waste, fraud, and abuse and improve the efficiency of Medicare, Medicaid, and over 100 other HHS programs, including OCR.

Noting the significant increase in successful cyberattacks against healthcare organizations’ information technology (IT) systems since the Phase 2 audits, OIG questioned “whether OCR’s audits, guidance, and enforcement activities for ensuring the protection of electronic protected health information (ePHI) have been effective.”

The OIG audited how OCR conducted its HIPAA audit program from January 2016 to December 2020. It evaluated the audit process against the HITECH Act’s statutory requirements and the HIPAA Enforcement Rule’s regulations.

OIG Conclusions and Recommendations

The OIG found that OCR fulfilled its duties under the HITECH Act by performing periodic audits of covered entities’ compliance with HIPAA. However, the audits did not include many of the safeguards required for HIPAA compliance.

The OIG report noted:

“The audits consisted of assessing only 8 of 180 HIPAA Rules requirements included in OCR’s audit protocol. Of those eight, OCR’s audits included only two Security Rule administrative safeguards and no physical and technical security safeguards.”

OCR also did not require audited entities to implement corrective actions, leaving entities with little accountability to improve their security controls and reduce risk.

Based on its findings, OIG recommended that OCR expand the scope of its HIPAA audits to address more physical and technical safeguards and implement standards to ensure deficiencies identified during the audits are corrected.

OIG also suggested that OCR determine criteria for whether a compliance issue identified during a HIPAA audit should result in an OCR compliance review and defined metrics for monitoring the effectiveness of these audits and protecting ePHI.

OCR Response to the Report

The report includes OCR’s response to the recommendations. It agreed with three of the four recommendations.

The OIG recommendations with which OCR agreed are:

• Expand the scope of its HIPAA audits to assess compliance with the Security Rule’s physical and technical safeguards, contingent upon receiving appropriate funding;
• Define criteria for determining whether a compliance issue found during a HIPAA audit should result in an OCR compliance review; and
• Define metrics for monitoring the effectiveness of OCR’s HIPAA audits in improving audited entities’ protections over ePHI and periodically review whether these metrics should be refined.

OCR disagreed with the idea that it should document and implement standards and guidance to ensure that deficiencies identified during HIPAA audits are corrected in a timely manner. OCR notes that “under the HITECH Act, entities can choose to pay civil money penalties instead of addressing HIPAA deficiencies through corrective action plans and cannot be compelled to sign resolution agreements or promptly correct issues.” Moreover, a lack of resources compromises OCR’s ability to pursue corrective action plans or penalties for every entity with HIPAA deficiencies. OCR noted that “negotiating resolution and initiating formal enforcement actions is resource intensive and would hinder other essential investigations.”

Future of HIPAA Audits

Experts have differing views about the direction OCR will take with HIPAA audits in the future.

For example, during the next four years of the Trump administration, federal agencies may need to do more with fewer resources., Some experts believe limited resources would go further when used for targeted investigations rather than random audits.

In addition, draft Security Rule modifications are pending the current administration’s approval in December. New incoming staff will scrutinize these changes before they are finalized.

Security Rule Compliance is a Blueprint to Fight Cybercrime

Regardless of OCR’s direction on audits or investigations, the strongest reason to follow the Security Rule is to strengthen cybersecurity and defend against hackers and ransomware. Safeguarding IT systems and the ePHI they contain is essential to remaining operational and maintaining patient trust and safety.

Other reasons to follow the HIPAA Security Rule include state privacy laws similar to HIPAA and lawsuits from patients when their sensitive protected health information is breached. State investigations and lawsuits are easier to defend when an organization has followed the gold standard of privacy protections found in the Security Rule.