OCR’s HIPAA audit program was lacking, OIG says

In reviewing how the Office of Human Rights conducted its Health Insurance Portability and Accountability Act periodic review program from January 2016 through December 2020, the Office of the Inspector General of the Department of Health and Human Services of Human Rights found that OCR was largely ineffective in preventing health information disclosures. , a new report suggests.

After reviewing OCR’s program for conducting periodic HIPAA audits, the OIG recommended expanding the scope to implement the requirements of the HITECH Act of 2009, which expanded criminal and civil penalties to business associates of covered entities.

WHY IT’S IMPORTANT

Although OCR is fulfilling its requirement under the HITECH Act to conduct HIPAA audits periodically, its audits have focused primarily on assessing physical and technical security, the OIG concluded in its report. released Friday.

“OCR’s oversight of its HIPAA audit program may not be effective in improving cybersecurity protections at organizations,” the OIG said in its findings.

The watchdog agency evaluated how OCR conducted its HIPAA audit program, reviewing 30 of the last 207 HIPAA audit reports and related documents issued by OCR from 2016 to until 2020.

When OCR conducted a HIPAA audit during that period, it reviewed eight of the 180 requirements of the HIPAA Rules. The OIG said that while two of the eight requirements were related to the Security Rule’s administrative safeguards — security risk assessment and risk management — none related to physical security. and technology.

The lack of teething in security flaws in OCR’s audit program dates back more than a decade, the OIG showed in a new report.

Health care organizations and business partners were struggling to implement the security measures required by the HIPAA Security Rule, OCR concluded after conducting a HIPAA investigation in 2012. , the OIG noted.

“However, assessing the two system security requirements is often not enough to assess the risk within the healthcare sector and determine security effectiveness. [electronic protected health information] security protection that should be available, as required by [HIPAA] Security Act,” the OIG said.

Although OCR conducted the necessary audits, organizations were able to skate by without fully complying with HIPAA’s security requirements.

“Furthermore, due to their limited scope, HIPAA audits may not have identified organizations such as hospitals, which have not implemented the physical and technical safeguards described in the Privacy Act to protect ePHI against common cybersecurity threats,” the OIG said.

The watchdog said that prior to this latest review of OCR’s HIPAA audit program, its team reviewed the legal requirements in HITECH, the requirements of the HIPAA Implementation Act, OCR’s regulations and procedures. of implementing HITECH requirements and enforcing the HIPAA Rules, HIPAA compliance reports to Congress. guidance related to cyber agency provided to the healthcare industry from 2016 to 2020.

The OIG recommended that OCR:

• Expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the Security Act.
• Write and implement standards and guidelines to ensure that deficiencies found during HIPAA audits are corrected in a timely manner – which the agency did not comply with.
• Describe and document procedures for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance audit.
• Define metrics for monitoring the effectiveness of OCR’s HIPAA audits in improving audited entities’ security over ePHI and periodically review whether these metrics should be updated.

Where OCR agreed with the three recommendations, the agency provided the OIG with detailed steps it has taken and plans to take in response, according to the HHS statement.

The issue is policing when healthcare organizations correct deficiencies found during HIPAA audits. OCR noted in its response to the new effectiveness review that “HIPAA audits were designed to be voluntary and are intended to provide technical assistance rather than to mandate amendments,” the OIG said.

“OCR stated that, under the HITECH Act, entities may choose to pay public money penalties rather than address HIPAA deficiencies through corrective action plans and will not be forced to sign agreements of solutions or to correct the issues immediately,” the OIG added.

The cost of OCR security audit penalties is high, and healthcare organizations have been interested in taking steps to avoid them.

As the federal government’s HIPAA auditor, OCR told the OIG that it has appealed to lawmakers to allow it to seek relief, “which will enable OCR to work with the Department of Justice to pursue solutions in federal court to comply with HIPAA. Regulations.”

A HUGE MAN

HHS has developed national standards for the use and disclosure of health care information, including standards for protecting ePHI under HIPAA – the Privacy Act, the Security Act and the Emergency Notification Act – and in August 2009 gave OCR the authority to enforce and enforce the Privacy Act and impose public monetary penalties for failure to comply.

OCR tested its audit program in 2011, and the OIG said a 2013 audit of its audit program found that while OCR met other federal requirements related to monitoring and enforcing the Act of the HIPAA Security Act, had limited coverage covering organizations that comply with the Security Act.

At that time, the OIG encouraged the agency to strengthen its periodic audits in accordance with the HITECH Act to ensure that organizations are complying with the HIPAA Security Act.

In 2016, during its second wave of HIPAA audits, OCR announced that it would conduct an on-site HIPAA audit of hospitals the following year.

“We want evidence that you’re using policies and procedures,” OCR senior counsel Linda Sanches said at the 2016 HIMSS and Healthcare IT News Privacy & Security Forum.

“The two biggest problems we see are in the implementation of risk assessment and risk management.”

As OCR’s investigations have found long-term, non-compliance with HIPAA security rules that have led to major PHI breaches, it has levied millions in fines.

In reviewing the HIPAA audit program, OCR repeated what it has said many times:

“It does not have the financial or personnel resources to pursue corrective action plans or sanctions for every entity with HIPAA violations” since the settlement of negotiations and initiation of the enforcement process too strong, the OIG noted.

In October, HHS filed proposed amendments to the HIPAA Security Act to strengthen online security of ePHI and the Office of Information and Regulatory Affairs. Once the White House reviews the proposal, HHS can release a Notice of Proposed Rulemaking for public comment.

“These changes will improve cybersecurity in the healthcare sector by strengthening the requirements of HIPAA-regulated organizations to protect. [ePHI] to prevent, detect, contain, mitigate and recover from cybersecurity threats,” OCR said in a presentation.

The agency expects to publish the proposed rule next month, OCR said Healthcare IT News by email when changes to the HIPAA Security Rule were made.

The American Hospital Association and other organizations have rejected HHS proposals that would mandate cybersecurity requirements and penalize hospitals for cyber attacks.

ADD TO CANCEL

“For example, OCR did not require audited entities to respond to deficiencies by implementing corrective actions and verifying compliance,” the OIG said in its findings.

“In addition, OCR did not monitor the results of the HIPAA audit program. This occurred because OCR did not have a written process and procedures for conducting these audits, including addressing deficiencies that found in time,” the watchdog continued.

“Without responses from agencies, OCR makes no commitment that corrective actions have been or will be implemented to address deficiencies that, if not addressed, may affect patient information, care and safety.”