Recognizing the growing variety of profitable cyberattacks concentrating on well being care organizations and their worthwhile affected person information, the Workplace of the Inspector Basic (OIG) is asking for enhancements to the HIPAA audit program. In its response to OIG and as detailed beneath, the Workplace for Civil Rights’ (OCR) famous that HIPAA audits have been anticipated to renew later this 12 months, presumably that means in the previous couple of weeks of 2024 or early 2025. OCR final performed HIPAA audits in 2016-2017, auditing 166 lined entities and 41 enterprise associates. OCR launched the findings of these audits in 2020.
In its report printed in November 2024, OIG highlighted two main findings:
- Narrowly Scoped HIPAA Audit Program. OCR’s HIPAA audit implementation was too narrowly scoped to successfully assess protections for digital protected well being data (ePHI) and reveal a discount of dangers throughout the well being care sector.
- Ineffective OCR Oversight. OCR oversight of the HIPAA audit program was not efficient at bettering cybersecurity protections at lined entities and enterprise associates.
In addressing these considerations, OIG made varied suggestions for OCR to boost its HIPAA audit program. OCR responded to the OIG findings in an August 2024 letter, which OIG printed with its report. Here’s a abstract of OIG’s suggestions for actions by OCR and OCR’s respective responses.
- Audit Bodily and Technical Safeguards: Increase the scope of HIPAA audits to evaluate compliance with HIPAA Safety Rule bodily and technical safeguards.
- OCR agreed with this advice, stating that it’ll focus future audits on particular provisions primarily based on a wide range of elements, together with business tendencies and probably the most prevalent dangers and vulnerabilities to PHI. Moreover, OCR indicated that future audits could embrace chosen provisions from the HIPAA Safety Rule, together with bodily or technical safeguards.
- Guarantee Deficiencies are Corrected: Doc and implement requirements and steerage for guaranteeing that deficiencies recognized through the HIPAA audits are corrected in a well timed method.
- OCR didn’t concur with this advice, stating (i) OCR doesn’t have authorized authority in all circumstances to require such injunctive reduction; (ii) OCR doesn’t have the workers or monetary sources to pursue this in opposition to each audited entity; and (iii) this doesn’t align with the aim of the HIPAA audit program, the place the aim is to offer technical help to audit members the place deficiencies are discovered.
- Decide When a Compliance Overview is Warranted: Outline and doc standards for figuring out whether or not a compliance difficulty recognized throughout a HIPAA audit ought to lead to OCR initiating a compliance assessment.
- OCR agreed with this advice, stating it plans to provoke HIPAA audits “later this 12 months” and would develop standards figuring out what elements it might contemplate in deciding whether or not to provoke a compliance assessment of an audited entity the place recognized compliance points had not been corrected. Provided that the top of the 12 months is sort of right here, it’s unclear how OCR would keep that timeline at this level. However, lined entities and enterprise associates must be conscious that OCR plans to recommence HIPAA audits and take any obligatory steps to make sure compliance with the HIPAA Guidelines.
- Metrics to Monitor Effectiveness: Outline metrics for monitoring the effectiveness of OCR’s HIPAA audits at bettering audited entities’ protections over PHI and periodically assessment whether or not these metrics must be refined.
- OCR agreed with this advice and acknowledged it will likely be surveying lined entities and enterprise associates that beforehand participated within the audits. The survey responses will likely be used to trace how audited entities up to date their HIPAA compliance following the audit.
Enforcement Course of
The OIG report included a abstract and diagram of OCR’s enforcement means of potential HIPAA violations. In abstract, OCR critiques complaints obtained by way of OCR’s grievance portal, occasions or incidents delivered to OCR’s consideration (e.g., by breach experiences, media, referrals from different companies, and many others.), or patterns recognized by way of obtained complaints. OCR should examine all breach experiences affecting 500+ people. OCR could start an investigation if there’s a critical compliance difficulty recognized or for breaches affecting lower than 500 people. If there’s a attainable felony violation, OCR will refer the incident to the Division of Justice, who could carry out a felony investigation along with OCR’s civil investigation.
OCR will gather a wide range of proof to find out whether or not the entity was in compliance with the HIPAA Guidelines. HIPAA-regulated entities are legally required to cooperate with grievance investigations and compliance critiques. The place OCR finds indications of noncompliance as a result of willful neglect or determines that the character and scope of the noncompliance warrants additional enforcement motion, OCR will pursue a decision settlement involving a settlement cost and an obligation to finish a corrective motion plan to deal with compliance points. If OCR and a HIPAA-regulated entity can not attain an settlement, or if there’s a breach of the phrases of such a decision settlement, OCR could pursue formal enforcement, together with a civil financial penalty.
Key Takeaways
The important thing takeaway is that OCR is dedicated to recommencing HIPAA audits and the scope will likely be expanded from the earlier audits.
In expectation of the resumption of those audits, lined entities and enterprise associates ought to assessment their HIPAA compliance applications, together with guaranteeing they’ve an up-to-date and complete HIPAA safety threat evaluation, insurance policies enough to satisfy the necessities of HIPAA Privateness, Safety, and Breach Guidelines, HIPAA coaching for workforce members, and enterprise affiliate agreements in place the place required by HIPAA.
Lined entities also needs to guarantee they’ve a Discover of Privateness Practices that accommodates the content material required by HIPAA and is distributed in accordance with HIPAA’s necessities. For extra data on this new report or authorized concerns associated to digital well being or information privateness, contact Foley’s Telemedicine & Digital Well being or Cybersecurity & Information Privateness groups.
The publish OCR Says HIPAA Audits Will Resume: OIG Makes Suggestions for Enhancement appeared first on Foley & Lardner LLP.
