As the number of successful cyberattacks on healthcare organizations continues to rise, a new report from the Department of Health and Human Services (HHS) Office of Inspector General (OIG) is calling on HHS to better ensure the protection of electronic protected health information (ePHI).
The HHS Office for Civil Rights (OCR) is required to perform periodic audits of healthcare entities to assess their compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule requirements. This requirement stems from the Health Information Technology for Economic and Clinical Health (HITECH) Act.
However, the OIG found that OCR’s oversight of its HIPAA audit program “was not effective at improving cybersecurity protections at covered entities and business associates.”
While OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits, the watchdog said that OCR’s HIPAA audit implementation was “too narrowly scoped to effectively assess ePHI protections and demonstrate a reduction of risks within the healthcare sector.”
Specifically, the report says that OCR’s audits consisted of assessing only eight of 180 HIPAA Rules requirements. Notably, only two of those eight requirements were related to Security Rule administrative safeguards and none were related to physical and technical security safeguards.
The physical and technical safeguards help to protect entities and their systems from “unauthorized intrusion and access to ePHI,” according to the OIG.
“Therefore, OCR missed the opportunity to identify physical and technical deficiencies that should be remediated to reduce risks within the healthcare sector. Further, entities’ ePHI may be vulnerable to compromise by bad actors or accidental exposure by an unintentional mishap,” the report says.
The OIG made four recommendations to OCR, including that it expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the Security Rule.
It also recommended that OCR document and implement standards and guidance for ensuring that any deficiencies identified during the HIPAA audits are corrected in a timely manner. Additionally, it wants the office to set criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review.
Lastly, the OIG recommended that OCR define metrics for monitoring the effectiveness of its HIPAA audits at improving audited entities’ protections over ePHI and periodically review these metrics.
OCR agreed with three of the four recommendations. It did not agree with the second recommendation, noting that under the HITECH Act, “entities can choose to pay civil money penalties instead of addressing HIPAA deficiencies through corrective action plans and cannot be compelled to sign resolution agreements or promptly correct issues.”
The report was publicly released the same week that Sens. Bill Cassidy, R-La., Maggie Hassan, D-N.H., John Cornyn, R-Texas, and Mark Warner, D-Va., introduced a bill aiming to bolster cybersecurity in the healthcare sector and safeguard Americans’ health data.
The bill – called the Health Care Cybersecurity and Resiliency Act of 2024 – would require HHS to update the HIPAA regulations for HIPAA-covered entities and business associates to use modern cybersecurity practices. These include multi-factor authentication, safeguards to encrypt protected health information, and requirements to conduct other “audits” such as penetration testing.
