The Office of Inspector General (OIG) criticized the Office for Civil Rights (OCR) for failing to follow up on compliance issues identified in HIPAA audits from 2016 to 2020, a report released Friday revealed.
While OCR fulfilled its audit obligations under the HITECH Act, the OIR found the program insufficient in improving cybersecurity safeguards.
A recent OIG review found that OCR's HIPAA audits during the period reviewed were narrowly focused on administrative safeguards, like security risk analysis and management, but neglected physical and technical protections for electronic protected health information (PHI). None of the eight HIPAA requirements reviewed addressed the physical or technical safeguards necessary for countering cyber threats.
Furthermore, the report found that OCR rarely initiated compliance reviews even when audits revealed serious deficiencies. The OIG also cited limited resources and the voluntary nature of the audits as barriers to enforcement.
"In addition, because of their narrow scope, the HIPAA audits most likely did not identify entities, such as hospitals, that did not implement the physical and technical safeguards defined in the Security Rule to protect ePHI against common cybersecurity threats," OIG stated in its findings.
The OCR acknowledged that audits were intended to provide technical assistance, not enforce corrective actions. The agency noted that under the HITECH Act, entities can opt to pay fines instead of addressing deficiencies, ultimately, limiting the OCR’s leverage.
OIG concluded that the audit program at OCR lacked breadth and follow-up to enforce good cybersecurity practices. Without compliance, patient data is at risk, and entities can bypass meaningful corrections.
Moreover, the continued rise in healthcare cyberattacks calls for improved audit efficacy to protect sensitive patient information.
The OCR agreed to enhance its approach but emphasized resource limitations. With proposed HIPAA Security Rule modifications expected next month, a better cybersecurity framework can be expected in the near future.
Yes, phishing attacks in healthcare fall under Health Insurance Portability and Accountability Act (HIPAA) regulations. Phishing attacks compromise the privacy and security of PHI and lead to severe penalties, including fines and reputational damage.
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle PHI.
An emailing platform is HIPAA compliant if it includes encryption, access controls, audit controls, and secure transmission to safeguard patients’ PHI.
Learn more: HIPAA Compliant Email: The Definitive Guide