Banner

Commentary

Article

How health care providers can stay compliant with HIPAA audit changes

Author(s):

Claire O’Brien, JD,Mousa Alshanteer, JD

HHS-OIG’s recommended changes to the audit program aim to strengthen data protections.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is required by law to perform periodic audits of covered entities and business associates to ensure their compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule requirements. These periodic audits are known as HIPAA audits.

But the increasing number of successful cyberattacks against health care organizations have cast doubts on the effectiveness of OCR’s HIPAA audit program in ensuring the protection of electronic protected health information (ePHI): Between 2018 and 2023, reported breaches affecting more than 500 records increased by 102%, with the number of hacking-related breaches reported to OCR skyrocketing by 239%.

© Brooks Pierce

Claire O’Brien, JD
© Brooks Pierce

© Brooks Pierce

Mousa Alshanteer, JD
© Brooks Pierce

Reacting to concerns about the sufficiency of OCR’s enforcement, the HHS Office of Inspector General (OIG) recently evaluated the effectiveness of OCR’s HIPAA audit program.

OIG’s report, issued in November 2024, found that OCR’s oversight of its HIPAA audit program is not effective at improving cybersecurity protections of covered entities and business associates — no surprise, given that OCR has not even conducted a HIPAA audit since 2017. OIG recommended a series of steps that OCR should take to enhance its HIPAA audit program, highlighting the urgency of strengthening cybersecurity measures in the health care industry. Covered entities and business associates should be aware of these recommendations, as OCR’s implementation of the changes may cause a shift in the regulatory environment for HIPAA compliance.

For more information, the full report published by OIG (A-18-21-08014) is available here, and a summary of key points from the report is available here.

OIG’s findings

OIG found that although OCR technically fulfilled its requirement under the Health Information Technology for Economic and Clinical Health Act to perform periodic HIPAA audits, the audit implementation was deficient. Specifically, OCR’s audits assessed only eight of the 180 HIPAA Rules requirements, and only two of those eight were related to Security Rule administrative safeguards — and none were related to physical and technical security safeguards such as encryption, access controls, network security measures and ransomware protections. OIG said that the narrow scope of OCR’s HIPAA audits meant they most likely did not identify entities, such as hospitals, that did not implement the physical and technical safeguards defined in the Security Rule to protect ePHI against common cybersecurity threats.

Additionally, OIG observed that OCR did not require audited entities to respond to deficiencies by implementing corrective actions and confirming implementation, nor did OCR monitor HIPAA audit program outcomes. Further, OCR failed to define criteria for initiating compliance reviews for organizations with serious compliance issues, limiting OCR’s ability to enforce meaningful change.

Finally, OIG notes that OCR has not established metrics to evaluate the effectiveness of its audits or monitor whether its audits lead to improved cybersecurity protections for ePHI. As a result, OCR lacks assurance that its audits are achieving their intended goals of cybersecurity, reducing risks and vulnerabilities.

OIG’s recommendations

In line with its findings, OIG recommends four key changes for improving OCR’s HIPAA audit program, as follows:

  1. OCR should expand the scope of its HIPAA audits and assess compliance with physical and technical safeguards under the Security Rule, in addition to administrative safeguards. These safeguards include critical protections such as encryption, access controls, network security measures and ransomware protections.
  2. OCR should document and enforce standards for correcting deficiencies identified during its audits and ensure timely implementation of these corrections.
  3. OCR should establish clear criteria for initiating compliance reviews when audits reveal serious compliance issues.
  4. OCR should define metrics to evaluate whether its audits are improving cybersecurity protections with respect to audited organizations. These metrics should be periodically reviewed and refined.

Although OCR agreed with three of the four recommendations, it noted that limited funding and staffing resources remain significant obstacles to expanding its audit program. OCR also stated that the HIPAA audits are designed to be voluntary and intended to provide technical assistance rather than enforce corrections — and OCR expressed concerns that mandatory corrective actions could deter entities from participating in HIPAA audits.

The upcoming change in administration may further impact OCR’s ability and willingness to implement OIG’s recommended changes.

Implications for health care providers

As data breaches, ransomware attacks and other similar incidents continue to rise, OIG’s report serves as a critical reminder of the importance of rigorous ePHI protections. Inadequate cybersecurity measures not only expose health care organizations to regulatory penalties but also jeopardize patient trust and safety. An OIG’s report outlining the myriad deficiencies of OCR’s HIPAA audit program may motivate OCR to engage in increased enforcement activity in all aspects of HIPAA compliance.

Covered entities and business associates should take proactive steps to address potential cybersecurity vulnerabilities and strengthen HIPAA compliance and ePHI protections. Some key considerations include the following:

  1. Implement and maintain robust physical and technical measures, including data encryption, multifactor authentication, intrusion detection systems and network security measures.
  2. Regularly audit risks to ePHI across all areas, including administrative, physical and technical safeguards under the Security Rule, and ensure that such audits address cybersecurity vulnerabilities, such as outdated software, insufficient encryption, and/or weak access controls or network security. OCR’s comprehensive audit protocol, last updated in July 2018, may be a helpful starting point, although updates to the protocol may be necessary to account for the several changes and developments in the interim.
  3. Establish (or review and update) their internal protocols in response to OIG’s recommendations and, further, promptly address any deficiencies identified during any audits, and maintain detailed documentation of remediation efforts, such as an incident response plan and corrective action plans, to demonstrate compliance should OCR initiate its own audit, investigation or review, and should leverage their audit findings to enhance their internal protocols. These protocols should include procedures for notifying affected individuals and reporting breaches to OCR in compliance with the HIPAA Breach Notification Rule. Employees and staff should be educated on these internal protocols, and providers would be wise to conduct regular training sessions on identifying and mitigating cybersecurity threats, such as phishing attacks.
  4. Monitor updates to OCR’s audit program and enforcement priorities, including the potential expansions of its audit scope to cover additional HIPAA provisions as recommended by OIG, and anticipate heightened scrutiny of cybersecurity practices in light of rising threats.

By taking these steps, covered entities and business associates can strengthen their defenses against cybersecurity threats, ensure compliance with HIPAA requirements and protect the sensitive health information of the patients they serve.

Claire O’Brien, JD, is a partner in the Greensboro, North Carolina, office of Brooks, Pierce, McLendon, Humphrey & Leonard, LLP. She advises companies and individuals on regulatory compliance in the health care, medical and dental device, and pharmaceutical industries.

Mousa Alshanteer, JD, an associate in Brooks Pierce’s Greensboro, North Carolina, office, represents clients in a variety of general business matters. He is also an experienced adviser to health care providers in general, transactional, administrative and regulatory compliance areas.

Related Videos
Related Content
CRISPR tuberculosis test gains FDA designation: ©Jacqueline Weber - stock.adobe.com
January 21st 2025

CRISPR-Tuberculosis Blood Test gains FDA breakthrough designation

Jay W. Lee
December 2nd 2024

Ep 45: Vaccine hesitancy with Jay W. Lee, MD, MPH, FAAFP

© Toowongsa - stock.adobe.com
January 21st 2025

Most Americans believe that AI will improve health care outcomes, reduce costs, in the next 10 years

Ep 44: Noncompete clauses with Emma Schuering, JD
November 18th 2024

Ep 44: Noncompete clauses with Emma Schuering, JD

FDA clears TriVerity test to identify and assess acute sepsis and other infections
January 21st 2025

FDA clears TriVerity test to identify and assess acute sepsis and other infections

Trump withdraws US from WHO: ©hectorchristiaen -stock.adobe.com
January 21st 2025

Trump withdraws from World Health Organization, makes several other health-related moves