HHS-OIG: HIPAA Audit Program Not Effective at Preventing Breaches

HIPAA Investigations hipaaguide.net

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) HIPAA audit program is largely ineffective at preventing breaches of protected health information and the scope of the audits is too narrow, according to an audit conducted by the HHS Office of Inspector General (OIG).

The HITECH Act of 2009 requires OCR to conduct periodic HIPAA audits to assess compliance with HIPAA law. Since 2009, OCR has conducted two rounds of HIPAA compliance audits, the first in 2012 and the second in late 2016/early 2017. The first round involved audits of 115 HIPAA-covered entities and assessed compliance with a broad range of HIPAA standards. The second round of audits was much more focused and involved audits of 166 covered entities and 41 business associates.

HHS-OIGโ€™s audit spanned from 2016 to 2020 and involved an analysis of 30 of the 207 final HIPAA audit reports. HHS-OIG determined that over that period, OCR had fulfilled its requirement under the HITECH Act to conduct periodic audits; however, OCR was criticized for the scope of the audits. There are 180 HIPAA requirements, but in the last round of audits, OCR only focused on 8, with 2 of those 8 requirements related to the HIPAA Security Rule administrative safeguards. None of the 8 requirements covered the administrative or physical safeguards of the HIPAA Security Rule.

OCR explained that assessing only 2 security requirements is not sufficient to assess the risk within the healthcare sector and determine the effectiveness of the security protections that should be in place. A HIPAA-regulated entity could easily pass the audit, even though they were not fully compliant with the HIPAA Security Rule. The HIPAA audit program also lacks teeth. Despite two rounds of audits that uncovered HIPAA compliance failures; OCR has not imposed a financial penalty for a compliance failure identified in an audit and HIPAA compliance failures have not triggered compliance reviews.

HHS-OIG made four recommendations for OCR to improve its HIPAA audit program:

  • Expand the scope of the HIPAA audits to assess compliance with the physical and technical safeguards required by the HIPAA Security Rule
  • Document and implement standards and guidance for ensuring that any HIPAA compliance issues identified in the audits are corrected in a timely manner
  • Define and document the criteria for determining whether a compliance issue identified in an audit should trigger a compliance review.
  • Define metrics for monitoring the effectiveness of the audits at improving ePHI protections, and periodically review whether those metrics need to be refined.

OCR concurred with three of the four recommendations and explained that the number and scope of the audits have been limited by a lack of funding โ€“ Something that OCR has been trying to get Congress to address for many years. OCR did not concur with the second recommendation because HIPAA-regulated entities can avoid a corrective action plan by choosing to pay a civil monetary penalty, so it is not possible to compel a HIPAA-regulated entity to adopt a corrective action plan.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

OCR told HHS-OIG that Congress has been asked to authorize injunctive relief to allow OCR to collaborate with the Department of Justice to pursue remedies through the federal court when HIPAA violations are identified during audits. There is a potential issue with that, as the audit program relies on regulated entities voluntarily submitting to an audit. If financial penalties and corrective action plans are a possible outcome, that will likely mean fewer entities will agree to an audit.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/