The auditors on the Division of Well being and Human Companies (HHS) Workplace for Civil Rights (OCR) bought a style of their very own drugs just lately, as an audit by the HHS Workplace of Inspector Basic discovered that OCR’s HIPAA audit implementation was too narrowly scoped to successfully assess digital protected well being data (ePHI) protections and exhibit a discount of dangers inside the healthcare sector.
In its report back to Congress for calendar 12 months 2022, OCR acknowledged that it acquired 64,592 reported breaches affecting 42 million people and that almost all of the safety incidents related to these reported breaches had been associated to the hacking of well being care suppliers. The report additionally acknowledged that, between 2018 and 2022, the variety of reported breaches elevated.
In its report, OIG acknowledged that the rise within the variety of profitable cyberattacks in opposition to healthcare entities’ IT methods raised the query of whether or not OCR’s audits, steering, and enforcement actions for guaranteeing the safety of ePHI have been efficient.
OIG discovered that OCR’s audits consisted of assessing solely eight of 180 HIPAA Guidelines necessities; and solely two of these eight necessities had been associated to Safety Rule administrative safeguards and none had been associated to bodily and technical safety safeguards.
The report additionally mentioned that OCR oversight of its HIPAA audit program was not efficient at enhancing cybersecurity protections at lined entities and enterprise associates.
OIG made a collection of suggestions to OCR to reinforce its HIPAA audit program, together with that it broaden the scope of its HIPAA audits to evaluate compliance with bodily and technical safeguards from the HIPAA Safety Rule, doc and implement requirements and steering for guaranteeing that deficiencies recognized in the course of the HIPAA audits are corrected in a well timed method, and outline metrics for monitoring the effectiveness of OCR’s HIPAA audits at enhancing audited lined entities and enterprise associates’ protections over ePHI and periodically evaluate whether or not these metrics must be refined. The total suggestions are within the report.
OCR concurred with three of the suggestions and detailed steps it has taken and plans to absorb response. However OCR acknowledged that, below the HITECH Act, entities can select to pay civil cash penalties as a substitute of addressing HIPAA deficiencies by means of corrective motion plans and can’t be compelled to signal decision agreements or promptly appropriate points.
OCR indicated that it has requested laws from Congress to authorize it to hunt injunctive aid, which might allow OCR to collaborate with the Division of Justice to pursue cures in federal courtroom to safe compliance with the HIPAA Guidelines.
Additional, OCR acknowledged that it doesn’t have the monetary or employees sources to pursue corrective motion plans or penalties for each entity with HIPAA deficiencies and acknowledged that the method of negotiating decision and initiating formal enforcement actions is resource-intensive and would hinder different important investigations.
OCR additionally acknowledged that HIPAA audits had been designed to be voluntary and meant to offer technical help somewhat than implement corrections. OCR acknowledged that imposing necessities for audited entities to appropriate deficiencies in a well timed method might discourage entities from collaborating in HIPAA audits. Lastly, OCR acknowledged that it agrees with implementing standards for follow-up compliance opinions; nevertheless, it famous that entities would nonetheless have the choice to pay a civil cash penalty somewhat than correcting deficiencies.
In response, OIG acknowledged that OCR faces important challenges in managing the HIPAA Guidelines, which can restrict its capacity to implement extra compliance instruments. “We encourage OCR to proceed to request the mandatory funding, personnel, and different sources it must conduct its HIPAA audits and implement the HIPAA Guidelines, particularly because the variety of cybersecurity and privateness threats proceed to extend. We stay involved that OCR’s HIPAA audits, as applied, don’t present assurance that audited entities are complying with the HIPAA Guidelines necessities,” the report acknowledged.
OIG acknowledged that OCR selected to make participation in HIPAA audits voluntary; nevertheless, it disagreed with OCR’s interpretation of the potential impact of civil cash penalties. The first objective of those audits is for OCR to make sure that entities adjust to HIPAA rules to guard the privateness and safety of protected well being data (PHI).
Moreover, OIG acknowledged that though the HITECH Act doesn’t specify that entities should resolve HIPAA audit deficiencies, OCR’s response omitted that entities nonetheless must adjust to the HIPAA Guidelines and that civil cash penalties funds don’t relieve entities from compliance. Even after a civil cash penalty is imposed, the entity would wish to take vital steps to appropriate the unresolved, recognized deficiencies to be in compliance with the HIPAA Guidelines. Subsequently, entities should handle any important deficiencies OCR recognized within the audits. OIG maintained the validity of its advice to OCR to doc and implement requirements and steering for guaranteeing that deficiencies recognized throughout HIPAA audits are corrected in a well timed method to guard PHI.
