Recognizing the growing variety of profitable cyberattacks focusing on well being care organizations and their invaluable affected person information, the Workplace of the Inspector Common (OIG) is looking for enhancements to the HIPAA audit program. In its response to OIG and as detailed beneath, the Workplace for Civil Rights’ (OCR) famous that HIPAA audits had been anticipated to renew later this yr, presumably that means in the previous couple of weeks of 2024 or early 2025. OCR final performed HIPAA audits in 2016-2017, auditing 166 lined entities and 41 enterprise associates. OCR launched the findings of these audits in 2020.
In its report revealed in November 2024, OIG highlighted two major findings:
- Narrowly Scoped HIPAA Audit Program. OCR’s HIPAA audit implementation was too narrowly scoped to successfully assess protections for digital protected well being info (ePHI) and reveal a discount of dangers inside the well being care sector.
- Ineffective OCR Oversight. OCR oversight of the HIPAA audit program was not efficient at enhancing cybersecurity protections at lined entities and enterprise associates.
In addressing these issues, OIG made numerous suggestions for OCR to reinforce its HIPAA audit program. OCR responded to the OIG findings in an August 2024 letter, which OIG revealed with its report. Here’s a abstract of OIG’s suggestions for actions by OCR and OCR’s respective responses.
- Audit Bodily and Technical Safeguards: Develop the scope of HIPAA audits to evaluate compliance with HIPAA Safety Rule bodily and technical safeguards.
- OCR agreed with this advice, stating that it’ll focus future audits on particular provisions based mostly on quite a lot of elements, together with trade traits and essentially the most prevalent dangers and vulnerabilities to PHI. Moreover, OCR indicated that future audits could embody chosen provisions from the HIPAA Safety Rule, together with bodily or technical safeguards.
- Guarantee Deficiencies are Corrected: Doc and implement requirements and steering for making certain that deficiencies recognized throughout the HIPAA audits are corrected in a well timed method.
- OCR didn’t concur with this advice, stating (i) OCR doesn’t have authorized authority in all circumstances to require such injunctive aid; (ii) OCR doesn’t have the employees or monetary assets to pursue this in opposition to each audited entity; and (iii) this doesn’t align with the aim of the HIPAA audit program, the place the purpose is to offer technical help to audit members the place deficiencies are discovered.
- Decide When a Compliance Evaluate is Warranted: Outline and doc standards for figuring out whether or not a compliance subject recognized throughout a HIPAA audit ought to end in OCR initiating a compliance overview.
- OCR agreed with this advice, stating it plans to provoke HIPAA audits “later this yr” and would develop standards figuring out what elements it could think about in deciding whether or not to provoke a compliance overview of an audited entity the place recognized compliance points had not been corrected. On condition that the tip of the yr is nearly right here, it’s unclear how OCR would keep that timeline at this level. However, lined entities and enterprise associates must be conscious that OCR plans to recommence HIPAA audits and take any crucial steps to make sure compliance with the HIPAA Guidelines.
- Metrics to Monitor Effectiveness: Outline metrics for monitoring the effectiveness of OCR’s HIPAA audits at enhancing audited entities’ protections over PHI and periodically overview whether or not these metrics must be refined.
- OCR agreed with this advice and acknowledged it is going to be surveying lined entities and enterprise associates that beforehand participated within the audits. The survey responses might be used to trace how audited entities up to date their HIPAA compliance following the audit.
Enforcement Course of
The OIG report included a abstract and diagram of OCR’s enforcement technique of potential HIPAA violations. In abstract, OCR critiques complaints acquired via OCR’s grievance portal, occasions or incidents dropped at OCR’s consideration (e.g., by breach reviews, media, referrals from different businesses, and many others.), or patterns recognized via acquired complaints. OCR should examine all breach reviews affecting 500+ people. OCR could start an investigation if there’s a critical compliance subject recognized or for breaches affecting lower than 500 people. If there’s a doable legal violation, OCR will refer the incident to the Division of Justice, who could carry out a legal investigation along with OCR’s civil investigation.
OCR will accumulate quite a lot of proof to find out whether or not the entity was in compliance with the HIPAA Guidelines. HIPAA-regulated entities are legally required to cooperate with grievance investigations and compliance critiques. The place OCR finds indications of noncompliance as a consequence of willful neglect or determines that the character and scope of the noncompliance warrants additional enforcement motion, OCR will pursue a decision settlement involving a settlement cost and an obligation to finish a corrective motion plan to deal with compliance points. If OCR and a HIPAA-regulated entity can not attain an settlement, or if there’s a breach of the phrases of such a decision settlement, OCR could pursue formal enforcement, together with a civil financial penalty.
Key Takeaways
The important thing takeaway is that OCR is dedicated to recommencing HIPAA audits and the scope might be expanded from the earlier audits.
In expectation of the resumption of those audits, lined entities and enterprise associates ought to overview their HIPAA compliance packages, together with making certain they’ve an up-to-date and complete HIPAA safety danger evaluation, insurance policies adequate to satisfy the necessities of HIPAA Privateness, Safety, and Breach Guidelines, HIPAA coaching for workforce members, and enterprise affiliate agreements in place the place required by HIPAA.
Lined entities must also guarantee they’ve a Discover of Privateness Practices that incorporates the content material required by HIPAA and is distributed in accordance with HIPAA’s necessities. For extra info on this new report or authorized issues associated to digital well being or information privateness, contact Foley’s Telemedicine & Digital Well being or Cybersecurity & Information Privateness groups.
The submit OCR Says HIPAA Audits Will Resume: OIG Makes Suggestions for Enhancement appeared first on Foley & Lardner LLP.