Healthcare organizations and businesses that handle protected health information (PHI) are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) to ensure the privacy and security of patient data. As part of HIPAA, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services conducts periodic audits to assess compliance with HIPAA requirements.
However, a recent report by the Office of Inspector General (OIG) found that OCR’s audit program may not be effectively preventing health information breaches. The report, which examined OCR’s audit program from January 2016 to December 2020, highlighted several areas where improvements are needed to enhance the protection of electronic protected health information (ePHI).
According to the report, OCR’s audits focused primarily on physical and technical security safeguards, with limited attention to other important aspects of HIPAA compliance. OIG recommended expanding the scope of the audits to address the requirements outlined in the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which extended penalties to business associates of covered entities.
One key finding of the report was that OCR’s audits did not adequately assess compliance with the administrative safeguards of the HIPAA Security Rule. While OCR reviewed a few key requirements related to security risk analysis and risk management, it did not thoroughly evaluate physical and technical security safeguards, leaving potential vulnerabilities unaddressed.
As a result, healthcare organizations and business associates may not have been fully compliant with HIPAA security requirements, putting patient data at risk of breaches. OIG recommended that OCR take steps to address these deficiencies and strengthen its audit program to better enforce HIPAA requirements.
Among the recommendations made by OIG are to expand the scope of the audits to assess compliance with physical and technical safeguards, document and implement standards for correcting deficiencies identified during audits, define criteria for initiating compliance reviews, and establish metrics for monitoring the effectiveness of the audit program.
While OCR has concurred with some of the recommendations and outlined steps to address them, challenges remain in enforcing corrective actions for non-compliance. The report noted that OCR’s audit program is voluntary and primarily focused on providing technical assistance rather than enforcing corrections through penalties or resolution agreements.
To address these challenges, OCR has proposed seeking injunctive relief to collaborate with the Department of Justice in pursuing remedies for non-compliance with HIPAA rules. This would allow OCR to take more aggressive actions against entities that fail to comply with HIPAA requirements, potentially reducing the risk of data breaches and strengthening overall cybersecurity protections.
Overall, the report highlights the need for ongoing efforts to improve the effectiveness of OCR’s HIPAA audit program and ensure that healthcare organizations and businesses handling PHI are held accountable for maintaining the security and privacy of patient data. By implementing the recommendations outlined in the report, OCR can enhance its oversight of HIPAA compliance and better protect ePHI from cybersecurity threats.
The White House has recently reviewed a proposal from the Department of Health and Human Services (HHS) regarding modifications to the HIPAA Security Rule. Once the White House gives their approval, HHS will be able to release a Notice of Proposed Rulemaking for public comment.
The proposed modifications aim to enhance cybersecurity in the healthcare sector by imposing stricter requirements on HIPAA regulated entities to protect electronic protected health information (ePHI) from cybersecurity threats. The Office for Civil Rights (OCR) stated in the proposal abstract that these changes will help prevent, detect, contain, mitigate, and recover from potential cybersecurity breaches.
According to OCR, the agency plans to publish the proposed rule for public review next month. In response to the filing of these modifications, OCR informed Healthcare IT News via email about the expected timeline for the release.
However, not everyone is in favor of these proposed changes. The American Hospital Association and other organizations have expressed concerns about the potential cybersecurity requirements and penalties that hospitals may face in the event of a cyberattack.
The Office of Inspector General (OIG) also raised issues with the current HIPAA audit program, stating that audited entities were not always required to address deficiencies or confirm implementation of corrective actions. OIG found that OCR lacked a documented process for conducting audits and monitoring outcomes, which could impact patient data security and safety if deficiencies are not promptly addressed.
In conclusion, the proposed modifications to the HIPAA Security Rule are aimed at strengthening cybersecurity measures in the healthcare industry. While there may be some opposition to these changes, it is essential to prioritize the protection of ePHI and ensure that healthcare entities are adequately prepared to address cybersecurity threats.