HHS-OIG Recommends OCR Enhance its HIPAA Audit Program
The Department of Health and Human Services (HHS) Office of Inspector General (OIG) has conducted an audit of the HHS Office for Civil Rights (OCR) to assess whether OCR has fulfilled its requirement to conduct audits of HIPAA-regulated entities to assess compliance with the HIPAA Rules. A previous HHS-OIG audit in 2013 to assess compliance with the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 to conduct HIPAA compliance audits found that OCR had not assessed the risks, established priorities, or implemented controls required by the HITECH Act.
Since that audit, cyberattacks on healthcare organizations have been increasing every year and large data breaches are now being reported at a rate of more than 2 per day, which suggests the efforts of OCR to improve cybersecurity across the healthcare sector may not be effective and HIPAA-regulated entities may not be complying with the cybersecurity requirements of the HIPAA Security Rule.
The HITECH Act requires the HHS to conduct periodic audits of HIPAA-regulated entities to evaluate compliance with the HIPAA Rules; however, OCR has yet to establish a permanent HIPAA audit program due to budget constraints. The last set of HIPAA audits was conducted in 2016 and 2017 on 166 HIPAA-covered entities and 41 business associates, and prior to those audits, OCR conducted a round of audits in 2012 on 115 HIPAA-covered entities; however, there have been no further audits since 2017.
In February 2024, OCR issued a request for information from previously audited HIPAA-regulated entities on how the HIPAA audit program could be improved, and in May this year, OCR Director Melanie Fontes Rainer said it was the intention of OCR to start auditing HIPAA-regulated entities to assess compliance with the HIPAA Security Rule. The audits were expected to commence by the end of the year. The third phase of audits commenced in December 2024.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HHS-OIG determined that OCR had complied with the requirements of the HITECH Act to conduct regular audits of HIPAA-regulated entities, as audits were conducted in 2012 and again in 2016/2017; however, there is significant room for improvement. HHS-OIG found that the latest round of HIPAA audits in 2016/2017 was narrow in scope and only assessed compliance with 8 of the 180 HIPAA Rule requirements, and only 2 of those 8 requirements were related to the administrative safeguards of the HIPAA Security Rule. OCR did not assess compliance with the physical and technical safeguards required by the HIPAA Security Rule. HHS-OIG determined that OCR’s oversight of the HIPAA audit program was not effective at improving cybersecurity protections at HIPAA-regulated entities.
HHS-OIG made four recommendations to improve the OCR audit program:
- Expand the scope of the audits to include physical and technical safeguards.
- Document and implement standards and guidance to ensure that deficiencies identified during the HIPAA audits are corrected in a timely manner.
- Define and document criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review.
- Define metrics for monitoring the effectiveness of OCR’s HIPAA audits at improving audited entities’ protections for ePHI and periodically review whether these metrics should be refined.
The problem for successive OCR Directors has been a lack of funding. OCR’s budget has remained flat, yet its workload has increased considerably. Consider that in 2010 and 2011, OCR only had to investigate around 200 large data breaches, yet in 2023, there were 745 large data breaches, and complaints about potential HIPAA violations increased by 306% from 2010 to 2023.
In response to the HHS-OIG recommendations, the OCR Director explained that the number of HIPAA provisions audited and the frequency of audits is due to inadequate funding – something OCR has been trying to address through budget increase requests since 2009. OCR said that between 2010 and 2023, the number of investigative staff has decreased by 30% to the lowest ever level and that it now has fewer than 100 investigators, less than 2 per state. Further, the unsustainably high caseloads result in high attrition.
OCR concurred with all of the recommendations apart from one – Document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner. Fontes Rainer explained that under the HITECH Act, an entity may choose to pay a civil monetary penalty rather than implement a corrective action plan and it is not possible to compel an entity to sign a resolution agreement and agree to take corrective actions to address deficiencies identified during a HIPAA compliance audit. That would require new legislation from Congress. OCR has requested Congress give OCR the authority to seek injunctive relief in this regard.
OCR also pointed out that participation in the compliance audits is not mandatory. The audits review HIPAA compliance at willing participants and if compliance issues are identified, technical assistance is provided. If there were requirements to enter into a resolution agreement, adhere to a corrective action plan, and potentially pay a civil monetary penalty, many HIPAA-regulated entities would refuse to participate in the audits.
