OCR Says HIPAA Audits Will Resume: OIG Makes Suggestions for Enhancement

Recognizing the rising variety of profitable cyberattacks concentrating on well being care organizations and their worthwhile affected person knowledge, the Workplace of the Inspector Common (OIG) is asking for enhancements to the HIPAA audit program.  In its response to OIG and as detailed beneath, the Workplace for Civil Rights’ (OCR) famous that HIPAA audits had been anticipated to renew later this 12 months, presumably that means in the previous few weeks of 2024 or early 2025. OCR final performed HIPAA audits in 2016-2017, auditing 166 lined entities and 41 enterprise associates. OCR launched the findings of these audits in 2020.

In its report printed in November 2024, OIG highlighted two main findings:

• Narrowly Scoped HIPAA Audit Program. OCR’s HIPAA audit implementation was too narrowly scoped to successfully assess protections for digital protected well being info (ePHI) and exhibit a discount of dangers throughout the well being care sector.
• Ineffective OCR Oversight. OCR oversight of the HIPAA audit program was not efficient at bettering cybersecurity protections at lined entities and enterprise associates.

In addressing these considerations, OIG made numerous suggestions for OCR to reinforce its HIPAA audit program. OCR responded to the OIG findings in an August 2024 letter, which OIG printed with its report. Here’s a abstract of OIG’s suggestions for actions by OCR and OCR’s respective responses.

• Audit Bodily and Technical Safeguards: Develop the scope of HIPAA audits to evaluate compliance with HIPAA Safety Rule bodily and technical safeguards.
  • OCR agreed with this suggestion, stating that it’ll focus future audits on particular provisions based mostly on a wide range of elements, together with trade tendencies and essentially the most prevalent dangers and vulnerabilities to PHI. Moreover, OCR indicated that future audits could embrace chosen provisions from the HIPAA Safety Rule, together with bodily or technical safeguards.
• Guarantee Deficiencies are Corrected: Doc and implement requirements and steering for making certain that deficiencies recognized throughout the HIPAA audits are corrected in a well timed method.
  • OCR didn’t concur with this suggestion, stating (i) OCR doesn’t have authorized authority in all instances to require such injunctive reduction; (ii) OCR doesn’t have the employees or monetary assets to pursue this towards each audited entity; and (iii) this doesn’t align with the aim of the HIPAA audit program, the place the aim is to offer technical help to audit individuals the place deficiencies are discovered.
• Decide When a Compliance Assessment is Warranted: Outline and doc standards for figuring out whether or not a compliance difficulty recognized throughout a HIPAA audit ought to end in OCR initiating a compliance overview.
  • OCR agreed with this suggestion, stating it plans to provoke HIPAA audits “later this 12 months” and would develop standards figuring out what elements it could think about in deciding whether or not to provoke a compliance overview of an audited entity the place recognized compliance points had not been corrected. Provided that the top of the 12 months is sort of right here, it’s unclear how OCR would keep that timeline at this level. However, lined entities and enterprise associates ought to be conscious that OCR plans to recommence HIPAA audits and take any vital steps to make sure compliance with the HIPAA Guidelines.
• Metrics to Monitor Effectiveness: Outline metrics for monitoring the effectiveness of OCR’s HIPAA audits at bettering audited entities’ protections over PHI and periodically overview whether or not these metrics ought to be refined.
  • OCR agreed with this suggestion and acknowledged it will likely be surveying lined entities and enterprise associates that beforehand participated within the audits. The survey responses will probably be used to trace how audited entities up to date their HIPAA compliance following the audit.

Enforcement Course of

The OIG report included a abstract and diagram of OCR’s enforcement technique of potential HIPAA violations. In abstract, OCR critiques complaints obtained via OCR’s criticism portal, occasions or incidents dropped at OCR’s consideration (e.g., by breach studies, media, referrals from different businesses, and many others.), or patterns recognized via obtained complaints. OCR should examine all breach studies affecting 500+ people. OCR could start an investigation if there’s a critical compliance difficulty recognized or for breaches affecting lower than 500 people. If there’s a potential legal violation, OCR will refer the incident to the Division of Justice, who could carry out a legal investigation along with OCR’s civil investigation.

OCR will gather a wide range of proof to find out whether or not the entity was in compliance with the HIPAA Guidelines. HIPAA-regulated entities are legally required to cooperate with criticism investigations and compliance critiques. The place OCR finds indications of noncompliance because of willful neglect or determines that the character and scope of the noncompliance warrants additional enforcement motion, OCR will pursue a decision settlement involving a settlement cost and an obligation to finish a corrective motion plan to handle compliance points. If OCR and a HIPAA-regulated entity can not attain an settlement, or if there’s a breach of the phrases of such a decision settlement, OCR could pursue formal enforcement, together with a civil financial penalty.

Key Takeaways

The important thing takeaway is that OCR is dedicated to recommencing HIPAA audits and the scope will probably be expanded from the earlier audits.

In expectation of the resumption of those audits, lined entities and enterprise associates ought to overview their HIPAA compliance packages, together with making certain they’ve an up-to-date and complete HIPAA safety threat evaluation, insurance policies ample to satisfy the necessities of HIPAA Privateness, Safety, and Breach Guidelines, HIPAA coaching for workforce members, and enterprise affiliate agreements in place the place required by HIPAA.

Coated entities must also guarantee they’ve a Discover of Privateness Practices that accommodates the content material required by HIPAA and is distributed in accordance with HIPAA’s necessities. For extra info on this new report or authorized issues associated to digital well being or knowledge privateness, contact Foley’s Telemedicine & Digital Well being or Cybersecurity & Information Privateness groups.