HIPAA audits not effective at improving cybersecurity: OIG

Dive Brief:

• The Office for Civil Rights, which oversees HIPAA enforcement, should improve its program for auditing compliance with the privacy and security law, according to a report published Monday by the HHS’ Office of Inspector General. 
• Though the OCR fulfilled its requirements to conduct periodic HIPAA audits, the program was too narrow in scope to effectively assess organizations’ protections for health data and reduce risks, according to the OIG. 
• Overall, the audits weren’t effective at improving cybersecurity at healthcare companies and their business associates — a major concern for regulators and lawmakers as cybercriminals increasingly target the industry. 

Dive Insight:

The report, which analyzed how OCR conducted its HIPAA audits from 2016 though 2020, found the agency’s program assessed few of the law’s requirements.

The audits consisted of assessing only eight of 180 HIPAA requirements, according to the OIG. Those eight requirements included appraising two administrative safeguards under HIPAA’s security rule, which require covered entities to analyze and manage risks to their protected health information.

But the audits didn’t assess healthcare organizations’ use of physical or technical safeguards for their data, which aim to prevent unauthorized actors — like hackers — from gaining access to their technology systems and exposing protected data, according to the OIG. 

“[...] Because of their narrow scope, the HIPAA audits most likely did not identify entities, such as hospitals that did not implement the physical and technical safeguards defined in the Security Rule to protect ePHI against common cybersecurity threats,” the watchdog wrote in the report. 

The agency’s audit program missed ways to address noncompliance too, according to the OIG. The OCR didn’t require audited companies to implement corrective measures, and it rarely initiated additional reviews when serious issues were found during audits. 

The agency also didn’t monitor outcomes from its audit program or document the frequency of its audits as of 2020, according to the report. 

The watchdog suggested OCR expand the scope of its audit program, document standards to ensure companies fix problems found during the assessments, define criteria for when the agency should conduct compliance reviews and determine metrics to evaluate the effectiveness of HIPAA audits.

The OCR agreed with most of the recommendations, but added that the agency has a small budget and hasn’t received more resources funding and staffing to enforce HIPAA.

The agency’s budget held steady around $38 million from fiscal year 2018 through 2020. Meanwhile, OCR has received more complaints and large data breach reports, and the number of invesigative staff fell 30% from fiscal year 2010 through 2023, OCR Director Melanie Fontes Rainer wrote to the OIG.

“The lack of receipt of these requested additional resources has resulted in less staff and investigators to conduct HIPAA audits more frequently, larger scale, or in greater number due to a lack of sufficient funding to conduct all needed operational activities,” she wrote.

The agency didn’t agree with OIG’s recommendation to document and implement standards for ensuring problems found in HIPAA audits are corrected. The OCR argued the law gives covered entities the option to pay a civil monetary penalty instead of resolving an investigation with a corrective action plan. The agency added resource constraints prevent it from implementing corrective action plans, and HIPAA audits aim to provide technical assistance rather than issue corrections.