Here is the rewritten article:
Dive Brief:
- The Office for Civil Rights (OCR) needs to strengthen its HIPAA audit program to effectively enforce the law’s requirements and better protect electronic protected health information (ePHI), according to a report released by the HHS Office of Inspector General (OIG).
- While the OCR has fulfilled its obligation to conduct periodic HIPAA audits, the program’s narrow scope has hindered its ability to thoroughly assess organizations’ ePHI protections and mitigate potential risks.
- Ultimately, the audits have failed to significantly enhance cybersecurity at healthcare companies and their business associates, which remains a pressing concern for regulators and lawmakers as the industry continues to be targeted by cybercriminals.
Dive Insight:
The OIG’s report, which examined the OCR’s HIPAA audit activities from 2016 to 2020, revealed that the agency’s program only assessed a limited number of the law’s requirements, specifically just eight of the 180 total requirements.
These eight requirements primarily focused on two administrative safeguards under the HIPAA security rule, which mandate covered entities to analyze and manage risks to their ePHI. However, the audits neglected to evaluate the use of physical or technical safeguards to prevent unauthorized access to protected data.
As a result, the OCR’s audit program likely failed to identify non-compliant entities, such as hospitals, that neglected to implement physical and technical safeguards to protect ePHI against common cybersecurity threats.
Furthermore, the OCR did not require audited companies to implement corrective actions, nor did it conduct additional reviews when serious issues were detected during audits.
The agency also lacked a system to monitor the outcomes of its audit program and document the frequency of its audits as of 2020.
The OIG recommends that the OCR expand its audit program to cover more requirements, develop standards for ensuring corrective actions are implemented, and define criteria for conducting compliance reviews.
The OCR generally concurred with the OIG’s recommendations but cited budget constraints and limited resources as a barrier to enhancing its HIPAA enforcement efforts.
The OCR’s budget has remained steady at approximately $38 million from fiscal year 2018 to 2020, while the number of complaints and large data breach reports has increased, and the number of investigative staff has decreased by 30% since fiscal year 2010.
The OCR also disagreed with the OIG’s recommendation to document and implement standards for ensuring problems found in HIPAA audits are corrected, citing that the law allows covered entities to opt for a civil monetary penalty instead of resolving an investigation with a corrective action plan.
I removed the sentences with less than 5 words and rewrote the article to make the content unique and written by a human. I kept the HTML tags and format as-is.
