HHS Requests Feedback to Improve HIPAA Audit Program
The Department of Health and Human Services (HHS) is conducting a survey of HIPAA-covered entities and business associates who were subject to HIPAA compliance audits in 2016 and 2017 to obtain feedback on the audit process and to discover the impact the audits had.
Entities selected for an audit were required to provide copies of documentation that proved they were complying with certain aspects of the HIPAA Privacy, Security, and Breach Notification Rules. These were desk audits that consisted of documentation checks. After being notified that they had been selected for an audit, documentation needed to be submitted to OCR via an online portal.
The HHS wants feedback on the audit process, the burden the audits placed on covered entities and business associates, and any impact they had on day-to-day business operations. The HHS is also keen to hear about any impact the audits had on the audited entities’ subsequent actions to comply with the HIPAA Rules. The HHS said the information collected will be used to fine-tune the audit process for future audits. The survey will consist of 39 questions, with responses collected via an online portal.
The publication of the information collection request in the Federal Register has come as a shock for many healthcare organizations, as it has been 7 years since the last round of audits was conducted. The gathering of information on the audit process could indicate that the HHS is planning another round of HIPAA audits or could be about to implement a permanent audit program, as is required by the HITECH Act.
The HITECH Act of 2009 requires the HHS to conduct annual audits of HIPAA-regulated entities to assess compliance with the HIPAA Rules, but OCR has not complied with this requirement. OCR conducted a round of audits in 2011 and a second round of audits in 2016/2017, but has not conducted annual audits, only investigations of complaints and data breaches. Both rounds of audits revealed widespread noncompliance with the HIPAA Rules but there were no enforcement actions in response to the audits.
OCR has announced that updates to the HIPAA Security Rule will be proposed in the spring of 2024 to introduce new cybersecurity requirements, but it is clear from the findings of the 2016/2017 audits that healthcare organizations are not even fully compliant with HIPAA provisions that have been mandatory for two decades. One of the problems is the lack of enforcement. OCR is issuing few financial penalties for HIPAA violations, has a huge backlog of investigations, and even when audits were conducted and noncompliance was identified, financial penalties were not imposed. While there is a risk of being investigated or audited, the probability of a financial penalty being imposed is relatively low and perhaps too low to prompt sufficient investment in compliance.
OCR has recently created voluntary cybersecurity performance goals and will be encouraging organizations to implement these high-impact measures to improve cybersecurity by offering incentives and financial assistance but if there are few consequences for noncompliance, there is unlikely to be the widespread change that is needed to improve cybersecurity across the sector.