HHS-OIG Urges HHS-OCR to Strengthen HIPAA Oversight and Enforcement

On November 21, 2024, HHS-OIG released a report calling on HHS-OCR to enhance its HIPAA audit program to better enforce HIPAA requirements and improve protections for ePHI. The report is the result of an audit conducted by HHS-OIG in response to an increasing number of successful cyberattacks targeting the healthcare industry. In its report, HHS-OIG concluded that HHS-OCR’s HIPAA audit program had significant shortcomings and included a series of recommendations to the agency to strengthen the program.

Audit Background

The HITECH Act requires HHS-OCR, the agency responsible for enforcing HIPAA, to conduct periodic audits to evaluate whether covered entities and business associates (together, regulated entities) are complying with HIPAA standards. In 2011 and 2012, HHS-OCR implemented a pilot HIPAA audit program (referred to as Phase 1), in which the agency assessed the HIPAA controls and processes implemented by 115 covered entities. In 2016 and 2017, HHS-OCR (with the assistance of contractors) administered an updated version of the HIPAA audit program (referred to as Phase 2), in which the agency audited  207 regulated entities.

In its most recent audit, HHS-OIG reviewed how HHS-OCR administered its HIPAA audit program from January 2016 through December 2020 (i.e., from Phase 2 onward). This assessment included, among other things, (i) an analysis of data from HHS-OCR’s list of reported breaches of unsecured PHI, (ii) a review of HHS-OCR’s standard operating procedures for the HIPAA audit program, (iii) a review of contracts between HHS-OCR and the audit services vendors it used during Phase 2 of the audit program to determine performance metrics, and (iv) a review of 30 (15%) of the 207 final HIPAA audit reports and related documents produced by HHS-OCR during the review period to assess the implementation of HHS-OCR’s audit program and audit protocol.

Key Findings from HHS-OIG’s Report

Based on its audit, HHS-OIG identified several weaknesses in HHS-OCR’s HIPAA audit program. The report highlights the following issues:

1. Limited Scope of HIPAA Audits: HHS-OIG found that, during Phase 2 (2016 and 2017), HHS-OCR’s audit program consisted of performing desk audits of selected regulated entities and did not include assessing most of the requirements contained in the agency’s audit protocol. Specifically, HHS-OCR’s audits assessed only eight out of 180 HIPAA Rule requirements found in the agency’s audit protocol, with just two of those addressing Security Rule administrative safeguards and none addressing physical or technical security safeguards. HHS-OIG expressed concern that this limited focus on Security Rule safeguards was “generally not sufficient” to “determine the effectiveness of the ePHI security protections that should be in place, as required by the Security Rule.” Moreover, due to this narrow scope, “the HIPAA audits most likely did not identify entities, such as hospitals that did not implement the physical and technical safeguards defined in the Security Rule to protect ePHI against common cybersecurity threats.”
   
   
2. Insufficient Remediation Following HIPAA Audits: HHS-OIG also expressed concerns about HHS-OCR’s lack of follow-up for compliance issues identified during HIPAA audits. For example, although HHS-OCR offered guidance to audited entities to promote compliance with the Security Rule, HHS-OCR did not require audited entities to respond to deficiencies by implementing corrective actions and confirming implementation. HHS-OIG also emphasized that, while HHS-OCR indicated that it had the ability to initiate a separate compliance review for “serious compliance issues” identified during HIPAA audits, the agency “rarely initiated” such reviews. For example, in Phase 2 of the HIPAA audit program, HHS-OCR identified more than 70 audited entities as having serious compliance issues, but only 3 such entities (4%) were subject to a separate compliance review (one related to the Security Rule and two related to the Privacy and Breach Notification Rules). HHS-OIG concluded that HHS-OCR’s “lack of documented procedures for responding to deficiencies and serious compliance issues identified in HIPAA audits, impeded it from determining whether its HIPAA audit program efforts were effective in safeguarding ePHI and improving cybersecurity protections.”
   
   
3. Lack of Auditing Following Phase 2: HHS-OIG also emphasized that HHS-OCR had not conducted any HIPAA audits since 2017. As a result, HHS-OCR has “missed the opportunity” “to proactively identify audited entities potential noncompliance with the HIPAA Rules” for the remainder of the review period (from 2018 through 2020).
   

HHS-OIG Recommendations

To address these deficiencies and strengthen HHS-OCR’s HIPAA oversight and enforcement, HHS-OIG made the following recommendations in its report:

1. Expand the Scope of HIPAA Audits: HHS-OCR should broaden its audit criteria to assess compliance with physical and technical safeguards under the HIPAA Security Rule.
   
   
2. Document and Implement Standards for Corrective Actions: HHS-OCR should establish clear standards and guidance to ensure that deficiencies identified during HIPAA audits are corrected promptly and effectively.
   
   
3. Define and Document Parameters For Initiating Compliance Reviews: HHS-OCR should establish criteria for determining whether a compliance issue identified during a HIPAA audit should result in HHS-OCR initiating a compliance review.
   
   
4. Periodically Review Effectiveness of HIPAA Audit Program: HHS-OCR should develop metrics to evaluate the impact of its HIPAA audits on improving cybersecurity protections, and periodically review and refine these metrics to ensure their continued effectiveness.
   

HHS-OCR Response

HHS-OCR agreed with all but one of HHS-OIG’s recommendations and detailed its plans for addressing them. These plans include (i) initiating more HIPAA audits; (ii) expanding the scope of HIPAA audits, “contingent upon” HHS-OCR “receiving appropriate funding”; and (iii) developing criteria to determine when HHS-OCR will initiate follow-up compliance reviews for audited entities. In addition, HHS-OCR indicated that it had developed a survey, to be sent later this year to regulated entities that participated in Phase 2 of the HIPAA audit program, which will be used as a mechanism to track how audited entities made HIPAA compliance changes following an HHS-OCR audit.  

HHS-OCR did not concur with HHS-OIG’s second recommendation—i.e., ensuring that deficiencies identified during HIPAA audits are corrected in a timely manner. HHS-OCR stated that it lacked statutory authorization under the HITECH Act to compel audited entities to sign resolution agreements or promptly correct deficiencies. The agency also expressed concerns about the resources that would be required to pursue corrective actions or civil monetary penalties in each and every instance, as well as the fact that the agency’s HIPAA audits were “designed to be voluntary and intended to provide technical assistance rather than enforce corrections.” Despite this, the HHS-OIG report represents a strong push for HHS-OCR to reevaluate the nature of its HIPAA audit program. To that end, HHS-OCR noted that it has requested legislation from Congress to authorize it to seek injunctive relief, which would enable HHS-OCR to collaborate with DOJ to pursue remedies in federal court to secure compliance with HIPAA.

Implications for Covered Entities and Business Associates

HHS-OIG’s report serves as a warning to regulated entities that greater scrutiny of HIPAA compliance may be on the horizon. As HHS-OCR works to implement HHS-OIG’s recommendations, regulated entities should proactively assess and strengthen their HIPAA compliance programs, with particular attention to physical and technical safeguards. Regularly updating security measures, addressing known vulnerabilities, and documenting compliance efforts will be critical to meeting potential new audit standards.