The Department of Health and Human Services (HHS) Office of Inspector General (OIG) has audited the HHS Office for Civil Rights (OCR) to evaluate if OCR has accomplished its requirement to perform audits of HIPAA-covered entities to examine HIPAA compliance. A prior HHS-OIG audit was conducted in 2013 to investigate compliance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The audit revealed that OCR did not check the risks, determine priorities, or apply controls demanded by the HITECH Act.
After that audit, there have been increasing cyberattacks on healthcare providers each year. Big data breach reports are currently filed at a rate of over 2 per day, which implies that OCR’s work to boost cybersecurity throughout the healthcare industry is not quite effective, and HIPAA-covered entities fail to comply with the HIPAA Security Rule requirements on cybersecurity.
As the HITECH Act requires the HHS to perform regular audits of HIPAA-covered entities to determine compliance with the HIPAA Guidelines; nevertheless, OCR has not established a HIPAA audit program because of budget limitations. It conducted the last set of HIPAA audits from 2016 to 2017, which involved 166 HIPAA-covered entities and 41 business associates. Before those audits, OCR performed audits on 115 HIPAA-covered entities in 2012. After 2017, no audit was done.
In February 2024, OCR requested information concerning already audited HIPAA-covered entities to know how the HIPAA audit program can be enhanced. In May 2024, OCR Director Melanie Fontes Rainer stated that OCR intended to begin auditing HIPAA-covered entities to determine compliance with the HIPAA Security Regulation. The audits were believed to begin at the end of 2024, but there was no news about the start of such audits.
HHS-OIG confirmed OCR’s compliance with the conditions of the HITECH Act to execute routine audits of HIPAA-covered entities, as seen in the audits carried out in 2012 and from 2016 to 2017, but there is more room for growth. HHS-OIG learned that the HIPAA audits from 2016 to 2017 had a narrow scope. Out of the 180 HIPAA Rule requirements, the audits merely evaluated compliance with 8 and only 2 of the 8 requirements were relevant to the administrative safety requirements of the HIPAA Security Rule. OCR failed to evaluate compliance with the technical and physical safety requirements of the HIPAA Security Rule. HHS-OIG confirmed that OCR’s direction of the HIPAA audit program wasn’t good at enhancing cybersecurity at HIPAA-covered entities.
Here are four recommendations given by HHS-OIG to enhance the OCR audit program:
- Broaden the scope of the audits by including technical and physical safety requirements.
- Record and impose requirements and guidance to ensure that problems found through the HIPAA audits are fixed promptly.
- Determine and record criteria for identifying if the compliance problem discovered from a HIPAA audit will prompt an OCR compliance review.
- Establish metrics for supervising the efficiency of OCR’s HIPAA audits in enhancing audited entities’ cybersecurity measures for ePHI and regularly evaluate if these metrics must be refined.
The challenge for OCR Directors is the insufficient funding. OCR’s funds have remained the same even if the amount of work has grown substantially. In 2010, OCR only investigated about 200 big data breaches but, in 2023, 745 big data breaches were investigated. From 2010 to 2023, potential HIPAA violation complaints increased by 306%.
With regards to the HHS-OIG recommendations, Director Melanie Fontes Rainer mentioned that the number of HIPAA requirements audited and the regularity of audits is a result of limited funding, which OCR has been seeking to deal with by requesting budget increases since 2009. OCR stated that from 2010 to 2023, the number of investigative employees dropped by 30%. Today, there are less than 100 investigators, under 2 per state, and the high caseloads lead to low efficiency.
OCR agreed with the HHS-OIG recommendations except for the second. Record and impose requirements and guidance to make certain that problems found through the HIPAA audits are fixed promptly. Director Fontes Rainer mentioned that with the HITECH Act, a covered entity may opt to pay a civil monetary penalty instead of carrying out a corrective action plan. It is not possible to force an entity to implement corrective actions to deal with problems discovered during a HIPAA compliance audit and to enter into a resolution agreement. To do that, a new legislation from Congress is necessary. OCR has asked Congress to allow OCR to seek injunctive relief regarding this.
OCR additionally remarked that involvement in compliance audits is not obligatory. The HIPAA compliance audits are done only with willing participants and when compliance problems are discovered, technical support is offered. When mandated to sign a resolution agreement, conform to a corrective action plan, and possibly pay a civil monetary penalty, numerous HIPAA-covered entities decline to take part in the audits.