Healthcare , HIPAA/HITECH , Industry Specific
Watchdog Report: HHS OCR Should Beef-Up HIPAA Audit Program
HHS OIG: Current Audit Program Is Not Pushing Entities Enough to Improve CyberCongress voted in 2009 as part of the HITECH Act to require the U.S. Department of Health and Human Services' Office for Civil Rights to perform periodic HIPAA audits on regulated healthcare organizations to ensure they are taking all mandated actions to reduce their cybersecurity risk.
See Also: Using the Netskope HIPAA Mapping Guide
But the audit program has been dormant since 2020, and a watchdog agency says HHS should restart the program and toughen the scope of its audits.
The HHS Office of Inspector General report issued on Tuesday says that HHS OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits. But the last batch of so-called "desk audits" conducted in 2020 were inadequate.
Specifically, OCR performed a total of 207 audits - including 166 covered organizations and 41 business associates between 2016 and 2020, the report said. That is only a tiny fraction of the thousands of HIPAA covered entities and business associates in the U.S.
"In many cases, OCR’s audit results demonstrated that the audited entities made negligible efforts to comply or did not provide evidence of a serious attempt to comply with the HIPAA Rules," the report said.
Further, the audits consisted of only assessing eight of 180 HIPAA Privacy, Security and Breach Notification rules requirements included in OCR’s own HIPAA audit protocol.
"Of those eight, OCR’s audits included assessing compliance with only two Security Rule administrative safeguards and no physical and technical security safeguards." The two HIPAA Security Rule administrative safeguards examined were security risk analysis and risk management because those two areas were deemed to be frequent compliance weaknesses OCR found in its breach investigations and enforcement actions.
But by so narrowly focusing its HIPAA audits - especially regarding Security Rule requirements - "OCR missed the opportunity to identify physical and technical deficiencies that should be remediated to reduce risks within the healthcare sector," HHS OIG said.
"Further, entities’ ePHI may be vulnerable to compromise by bad actors or accidental exposure by an unintentional mishap," the report said.
HHS OIG made four recommendations to HHS OCR, of which HHS OCR agreed to all, except one. That recommendation was for HHS OCR to document and implement standards and guidance for ensuring that deficiencies identified during HIPAA audits are corrected in a timely manner.
HHS OCR in its response stated a lack of sufficient resources as a primary reason the agency has not conducted more frequent and more intensified HIPAA audits, including following up with post-audit assessments.
HHS OIG's other recommendations with which HHS OCR concurred are for the agency to:
- Expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the Security Rule;
- Define and document criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review;
- Define metrics for monitoring the effectiveness of OCR’s HIPAA audits at improving audited entities’ protections over ePHI and periodically review whether these metrics should be refined.
In February, HHS OCR published in the Federal Register a notice saying that it soon would be pulling the trigger on a study to assess its HIPAA compliance audit program for potential changes (see: They're Back: HHS OCR Plans to Resurrect Random HIPAA Audits).
HHS OCR Director Melanie Fontes Rainer, in a May interview with Information Security Media Group, said the agency was planning to resume its dormant audit program.
By the end of the year, HHS OCR also plans to publish a proposed update to the HIPAA Security Rule to better reflect the evolution of technology and healthcare delivery that's occurred over the last two decades since the regulations were first issued, she said. That update to the 20-year-old HIPAA Security Rule is currently under review by the White House Office of Management and Budget (see: White House Reviewing Updates to HIPAA Security Rule).
HHS OCR Statement
HHS OCR in a statement provided to ISMG said the agency "appreciates" the HHS OIG's recommendations concerning OCR’s 2016-2017 HIPAA audits.*
"Consistent with the OIG report, OCR agrees that regular HIPAA Audits, with appropriate funding, are integral to ensure the compliance of HIPAA regulated entities. OCR will be initiating HIPAA Audits in the near future, and will seek to implement OIG’s recommendations, as OCR’s funding and staffing resources permit," the statement said.
"As the office responsible for enforcing and administering the HIPAA Rules, and with the exponential rise of cyberattacks in the health sector, OCR is committed to continue updating and rigorously enforcing the HIPAA Rules to protect the privacy and security of protected health information of patients and safeguard our national security in the health care system, including OCR’s plans to publish proposed changes to the HIPAA Security Rule next month," HHS OCR said.
"Nevertheless, OCR has had nearly flat appropriations for twenty years, even with OCR’s continued requests for additional appropriations and resources, which has resulted in unsustainable workloads."
Needed Changes
HHS OCR's reason for shortcomings in the HIPAA audit program - a lack of resources - is quite credible, said some experts. "In my experience, OCR is in fact significantly understaffed," said privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"OCR does get to retain civil monetary penalties and resolution amounts and apply them toward enforcement, such as audits. But it can be difficult to apply one-time enforcement payments toward hiring permanent staff," said Greene, who served in HHS OCR during the Obama administration.
But once new HHS leadership comes in January under Donald Trump's next administration, revamping the HIPAA audit program is not likely to be an urgent item for HHS OCR's to-do list, Greene said. "I don’t see this issue improving when one of the top priorities of the new administration is to cut back on federal regulatory agencies, rather than expanding them," he said.
Nonetheless, "I think that there is a good chance that the new administration will look to reinvigorate the HIPAA audit program, but likely using a 'more with less' approach that will limit the ability of OCR to increase staff," he said.
Privacy attorney Iliana Peters of the law firm Polsinelli agrees with the HHS OIG’s recommendations, with one significant caveat. "I have stated on several occasions, including in my conversations with Congressional staffers, that HHS OCR should be auditing entities that do not report breaches," she said.
"In other words, HHS OCR has the statutory authority to raise the bar with regard to entities in the healthcare sector that arguably are not undertaking any compliance, through the HITECH Act’s audit requirements," she said.
Instead, HHS OCR currently focuses all of its resources on organizations that, at the very least, attempt to report breaches in a timely manner, said Peters, a former senior adviser at HHS OCR.
"Unless HHS OCR undertakes proactive audits on entities that aren’t attempting to comply with HIPAA requirements, given how linked healthcare entities in this sector are, the cybersecurity for the entire sector will never improve."
Privacy attorney Kirk Nahra of the law firm WilmerHale said he has "never been a big fan" of the HIPAA audit program.
"There has been a lot of money spent on it with very little to show. The burden on the selected entities - unclear if these have been random or not - has been enormous and really pretty unfair to those entities," he said.
"I would not think that a more extensive audit program - again, presumably based on some kind of random identification of entities - would be a worthwhile expenditure of resources that could be spent on meaningful investigations or more useful overall guidance," he said.
Additionally, in anticipation of a proposed update to the HIPAA Security Rule, "the focus of the security rule may change, so any audit program now would be almost irrelevant," he said.
The current premise of the HIPAA security rule is designed to be process-oriented because of the vast differences among many types of covered entities, not to mention the even wider range of business associates, he said.
"Any 'guidance' resulting from even a larger number of audits is really likely to be not very useful," he said. "HHS OCR could do more with the results of its actual investigations - even perhaps those that result in closings - by identifying consistent concerns or weak spots," Nahra said.
"That would be an added value from activities that are already underway, similar to what you might expect from an audit program, without the 'unfairness' element of the random audits."
*Updated on Dec. 2, 2024 UTC 14:02 to include HHS OCR's statement to ISMG.