In examining how the Office of Civil Rights administered its periodic Health Insurance Portability and Accountability Act audit program from January 2016 through December 2020, the U.S. Department of Health and Human Services' Office of Inspector General found that OCR was largely ineffective in preventing health information breaches, a new report suggests. 

After evaluating OCR’s program for performing periodic HIPAA audits, OIG recommended expanding the scope to better execute on HITECH Act of 2009 requirements, which extended criminal and civil penalties to business associates of covered entities. 

WHY IT MATTERS

While OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits, its analyses were too narrowly focused on assessing physical and technical security safeguards, OIG concluded in its report released Friday.

"OCR oversight of its HIPAA audits program likely was not effective at improving cybersecurity protections at entities," OIG said in its findings.

The watchdog agency audited how OCR administered its HIPAA audit program, reviewing 30 of the 207 final HIPAA audit reports and related documents produced by OCR from 2016 to 2020.

When OCR conducted a HIPAA audit during that period, it reviewed eight of 180 HIPAA Rules requirements. OIG said that while two of those eight requirements were related to Security Rule administrative safeguards – security risk analysis and risk management – none were related to physical and technical security safeguards.

The lack of teeth on security flaws in OCR's audit program trace back more than a decade, OIG indicated in the new report.

Healthcare organizations and business associates had been struggling to implement the administrative safeguards required by the HIPAA Security Rule, OCR concluded after conducting HIPAA audits in 2012, OIG noted.

"However, assessing two administrative security requirements is generally not sufficient to assess the risk within the healthcare sector and to determine the effectiveness of the [electronic protected health information] security protections that should be in place, as required by the [HIPAA] Security Rule," OIG said.

While OCR did the required auditing, organizations were able to skate by without fully complying with HIPAA's security requirements.

"In addition, because of their narrow scope, the HIPAA audits most likely did not identify entities, such as hospitals, that did not implement the physical and technical safeguards defined in the Security Rule to protect ePHI against common cybersecurity threats," OIG said. 

The watchdog agency said before this latest audit of OCR's HIPAA audit program, it's team reviewed the statutory requirements in HITECH, the HIPAA Enforcement Rule requirements, OCR’s policies and procedures for implementing HITECH requirements and enforcing HIPAA Rules, the agency's HIPAA compliance reports to Congress and cyber-related guidance the agency provided to the healthcare industry from 2016 to 2020. 

OIG has recommended that OCR:

• Expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the Security Rule.
• Document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner – which the agency did not concur with.
• Define and document criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review.
• Define metrics for monitoring the effectiveness of OCR’s HIPAA audits at improving audited entities’ protections over ePHI and periodically review whether these metrics should be refined. 

Where OCR concurred with three recommendations, the agency provided OIG with the detailed steps it has taken and plans to take in response, according to an HHS statement.

At issue is policing when healthcare organizations correct deficiencies discovered during HIPAA audits. OCR noted in its response to the new efficacy review that "HIPAA audits were designed to be voluntary and intended to provide technical assistance rather than enforce corrections," OIG said.

"OCR stated that, under the HITECH Act, entities can choose to pay civil money penalties instead of addressing HIPAA deficiencies through corrective action plans and cannot be compelled to sign resolution agreements or promptly correct issues," OIG added.

The costs of OCR security audit fines are high, and healthcare entities have been interested in taking steps to avoid them.

As the HIPAA auditor for the federal government, OCR told OIG that it has appealed to lawmakers to authorize it to seek injunctive relief, "which would enable OCR to collaborate with the Department of Justice to pursue remedies in Federal court to secure compliance with the HIPAA Rules." 

THE LARGER TREND

HHS developed national standards for the use and dissemination of health care information, including standards to protect ePHI under HIPAA – the Privacy Rule, Security Rule and the Breach Notification Rule – and in August 2009 delegated OCR the authority to implement and enforce the Privacy Rule and impose civil money penalties on failure to comply.

OCR piloted its audit program in 2011, and OIG said its 2013 audit program review found that while OCR met some federal requirements related to overseeing and enforcing the HIPAA Security Rule, it had limited assurance that covered entities complied with the Security Rule. 

At the time, OIG recommended the agency strengthen its periodic audits per the HITECH Act to ensure entities comply with the HIPAA Security Rule.

In 2016, during its second wave of HIPAA audits, OCR announced it would conduct on-site HIPAA audits of hospitals the following year.

"We’re looking for evidence that you are implementing the policies and procedures," OCR senior advisor Linda Sanches said at the 2016 HIMSS and Healthcare IT News Privacy & Security Forum. 

"Two huge problems we’re seeing are implementation of risk analysis and risk management."

When OCR investigations have found longstanding, systemic noncompliance with the HIPAA Security Rule that led to massive breaches of PHI, it has levied millions in fines.

In the HIPAA audit program review, OCR reiterated something it has said many times: 

"It does not have the financial or staff resources to pursue corrective action plans or penalties for every entity with HIPAA deficiencies" as negotiating resolution and initiating formal enforcement actions is resource intensive, OIG noted.

In October, HHS filed proposed modifications to the HIPAA Security Rule to strengthen the cybersecurity of ePHI with the Office of Information and Regulatory Affairs. Once the White House reviews the proposal, HHS can release a Notice of Proposed Rulemaking for public comment.

"These modifications will improve cybersecurity in the healthcare sector by strengthening requirements for HIPAA regulated entities to safeguard [ePHI] to prevent, detect, contain, mitigate and recover from cybersecurity threats," OCR said in the proposal abstract.

The agency anticipates publishing the proposed rule next month, OCR told Healthcare IT News by email when HIPAA Security Rule modifications were filed.

The American Hospital Association and other organizations have pushed back on HHS proposals that would mandate cybersecurity requirements and penalize hospitals for cyberattacks.

ON THE RECORD

"For example, OCR did not require audited entities to respond to deficiencies by implementing corrective actions and confirming implementation," OIG said in its findings.

"In addition, OCR did not monitor HIPAA audit program outcomes. This occurred because OCR lacked a documented process and procedures for conducting these audit steps, including for timely resolving identified deficiencies," the watchdog agency continued.

"Without responses from entities, OCR does not have commitments that corrective actions have been or will be implemented to address deficiencies which, if left unaddressed, could impact patient data, care and safety."