web analytics

They’re Back? HHS OCR Is Eyeing the Return of HIPAA Audits – Source: www.databreachtoday.com

they’re-back?-hhs-ocr-is-eyeing-the-return-of-hipaa-audits-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Healthcare
,
Industry Specific
,
Standards, Regulations & Compliance

The Agency Is Surveying Previous Auditees to Reassess the Dormant Program

Marianne Kolbasuk McGee (HealthInfoSec) •
February 13, 2024    

They're Back? HHS OCR Is Eyeing the Return of HIPAA Audits
Federal regulators are hinting that HIPAA compliance audits could be making a comeback after a seven-year hiatus. (Image: Getty)

As U.S. federal regulators fine-tune a strategy to push the healthcare sector into a stronger cybersecurity posture, they appear to be planning to dust off a HIPAA compliance audit program that’s been dormant for years.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

The last time the Department of Health and Human Services audited a healthcare organization was 2017. News of the agency potentially resurrecting the program came as a shock.

“This issue is significant,” said regulatory attorney Paul Hales of the Hales Law Group. “Neither covered entities nor business associates expect a federal audit of their HIPAA compliance.”

The Department of Health and Human Services on Monday published in the Federal Register a notice saying that its Office for Civil Rights would be pulling the trigger soon on a study to assess its HIPAA compliance audit program, which was last used in 2017.

HHS OCR said it would conduct a 39-question online survey of 207 covered entities and business associates that participated in the agency’s 2016-2017 HIPAA audits.

“The survey will gather information relating to the effect of the audits on the audited entities and the entities’ opinions about the audit process,” HHS OCR said.

The agency said it is conducting a review of the 2016-2017 HIPAA audits to determine how effective they are at assessing the HIPAA compliance efforts of covered entities.

As part of the review, the online survey will be used to measure the effect of the 2016-2017 HIPAA audits on covered entities’ and business associates’ subsequent actions to comply with the HIPAA rules, the agency said.

The surveys also will provide entities with an opportunity to offer feedback on the audits and its features, “such as the helpfulness of HHS’ guidance materials and communications, the utility of the online submission portal, whether the audit helped improve entity compliance, and the entities’ responses to the audit-report findings and recommendations,” HHS OCR said.

The agency said it also would look at the surveys to gain better insight into the “burden” imposed on entities to collect audit-related documents and respond to audit-related requests as well as the effect on the organizations’ day-to-day operations.

HHS OCR was mandated to conduct HIPAA audits under the HITECH Act of 2009, but the effort was slow to take off.

The agency hired outside contractors that helped develop a variety of different audit protocols, which HHS OCR publicly published in advance of the audits. HHS OCR used those protocols in a couple of rounds of pilot audits, starting in 2011, but the audits fizzled out in 2017 – including on-site audits and remote “desk audits.”

Between 2016 and 2017, in its most recent round of compliance audits, HHS OCR reviewed a little over 200 covered entities and business associates through remote audits.

In December 2020, HHS OCR finally issued a report on its findings from the HIPAA compliance audit program conducted in 2016 and 2017 that illustrates the shortcomings of covered entities and business associates that were chosen for reviews (see: At Last, Results of HIPAA Compliance Audit Program Revealed).

The shortcomings spotlighted in the report are still common today, including the failure to conduct a security risk analysis and to give patients access to their records.

But since the completion of the 2016-2017 audits and the release of the report in 2020, HHS OCR has not focused on or mentioned HIPAA audits as part of its ongoing enforcement plans.

Big Surprise?

The resurgence of the HIPAA audit program took some seasoned HIPAA experts by surprise.

Hales said, “For 15 years, HHS has violated the HITECH Act because it has not conducted annual periodic audits of HIPAA Privacy and Security Rule compliance by covered entities and business associates or submitted findings of those audits to the Senate and House committees named in the law.”

Hales said the fact that OCR had only “dipped its toe in the water by conducting phase 1 and 2 audits and establishing 180 audit protocols” sent the wrong message to the industry.

“That underscores the problem. HIPAA-regulated entities do not fear HIPAA compliance enforcement. Consequently, they consider HIPAA compliance less urgent than other day-to-day matters, and patient privacy is at an unnecessarily high risk.”

The audit program had a significant impact on raising the visibility of compliance issues, and the threat of audits caused many organizations to assess and improve their compliance programs, said privacy attorney Adam Greene of the law firm Davis Wright Tremaine.

Since the audits petered out several year ago, “much of OCR’s compliance efforts have been focused on its ‘right of access’ initiative, but we’re seeing a bit less action on that front,” Greene said. “OCR may have more bandwidth to start up phase 3 of the audit program and make it a more permanent part of its compliance and enforcement efforts,” he said.

Still, while HHS OCR’s survey indicates that the agency is interested in restarting the audit program, “it may be some time – a year or more – before a new phase of the program kicks off,” Greene said.

In the last round of audits, the agency for the most part selected a random variety of covered entities and business associates. That method might be best if the agency decides to resume its audit program, Greene said.

“A random, stratified approach makes sense, where it is mostly random but OCR tries to create a representative sample from across the healthcare sector,” he said. “OCR would benefit from greater visibility into entities that are not reporting breaches.”

Hales said the findings of HHS OCR’s last round of audits were “appalling.”

The audit covered only seven topics, “and all CEs and BAs knew they were on the shortlist for audit and knew the questions in advance,” Hales said. HHS OCR published its audit protocols in advance of the audits.

“Nevertheless, 86% of covered entities and 83% of business associates failed the risk analysis audit, and 94% of CEs and 88% of BAs failed the risk management audit,” Hales said.

“A nationwide periodic audit of HIPAA compliance is a big, resource-heavy job,” he said. “In this climate, HHS will not likely get additional funding from Congress. However, it consistently overlooks a funding source – proceeds from civil money penalties available through the HIPAA enforcement rule,” he said.

HHS OCR did not immediately respond to Information Security Media Group’s request for additional details about its HIPAA audit plans and whether the audits would be used to help round out HHS’ evolving strategy to push healthcare sector entities into implementing stronger cybersecurity programs (see: HHS Details New Cyber Performance Goals for Health Sector).

Original Post url: https://www.databreachtoday.com/theyre-back-hhs-ocr-eyeing-return-hipaa-audits-a-24353

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Nathalie Cole
How Much 10 Companies Paid Their Virtual CISO Service in 2022 Benchmark by Nathaniel Cole
How Much 10 Companies Paid...
Tushar Subhra Dutta
Top 10 Cyber Attack Maps to See Digital Threats 2022 by Tushar Subhra Dutta – Cyber Security News.
Top 10 Cyber Attack Maps...
Microsoft
Microsoft Zero Trust Maturity Model
Microsoft Zero Trust Maturity Model
US Deparment of Defense
DevSecOps Fundamentals Guidebook – Tools & Activities by American Deparment of Defense
DevSecOps Fundamentals Guidebook – Tools...
Microsoft
Microsoft 365 and the NIST Cybersecurity Framework
Microsoft 365 and the NIST...
ACSC Australia
Cyber Incident Response Plan Template by ACSC & Australian Goverment
Cyber Incident Response Plan Template...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

New York State
Cybersecurity Program Template A resource to help individual licensees and individually owned businesses develop a cybersecurity program as required by New York State’s Cybersecurity Regulation 23 NYCRR Part 500
Cybersecurity Program Template A resource...
Apress
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
Cyber Security on Azure An...
CyberJA
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL...
SOSAFE
CybercrimeTrends 2024 The latest threats and security best practices
CybercrimeTrends 2024 The latest threats...
Routledge
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Cyber Security Politics Socio-Technological Transformations...
Cigref
Surviving a Massive cyber-attack by Cigref
Surviving a Massive cyber-attack by...
Cigref
Surviving a Massive cyber-attack by Cigref
Surviving a Massive cyber-attack by...
Splunk
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0
SPLUNK® AND THE CIS CRITICALSECURITY...
SOC SIEM Use Cases
SOC SIEM Use Cases
safecode
Six Pillars of DevSecOps- Collaboration and Integration
Six Pillars of DevSecOps- Collaboration...
SentineOne
WatchTower I ntelligence-Driven Threat Hunting
WatchTower I ntelligence-Driven Threat Hunting
CNIL
Security of Personal Data
Security of Personal Data

More Latest Published Posts

CISA | Cybersecurity and Infrastructure Security Agency
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
McKinsey & Company
Transforming risk efficiency and effectiveness
Transforming risk efficiency and effectiveness
Arnold Antoo
Zero Trust Security Model
Zero Trust Security Model
Richea Perry
Your Cybersecurity Toolkit
Your Cybersecurity Toolkit
IGNITE Technologies
Wireless Penetration Testing
Wireless Penetration Testing
Joas A Santos
Windows API for Red Team #101
Windows API for Red Team #101
Economic Research Working Paper
Artificial Intelligence and Intellectual Property
Artificial Intelligence and Intellectual Property
CASOS DE USO APLICABLES EN UN SIEM
CASOS DE USO APLICABLES EN UN SIEM
IGNITE Technologies
Burp Suite for Pentester
Burp Suite for Pentester
The Institute of Internal auditors
Auditing Risk Culture
Auditing Risk Culture
DevSecOps Guide
ATTACKING PHP APPLICATIONS
ATTACKING PHP APPLICATIONS
DevSecOps Guide
ATTACKING KUBERNETES WITH SECURITY BEST PRACTICE
ATTACKING KUBERNETES WITH SECURITY BEST PRACTICE
CLTC WHITE PAPER SERIES
Guidance for the Development of AI Risk and Impact Assessments
Guidance for the Development of AI Risk and Impact Assessments
Active Directory
Active Directory IT AuditChecklist
Active Directory IT AuditChecklist
A guide to business continuity planning
A guide to business continuity planning
LOG RHYTHM
Using MITRE ATT&CK™ in Threat Huntingand Detection
Using MITRE ATT&CK™ in Threat Huntingand Detection
Kaspersky
H2 2023 – A brief overviewof main incidentsin industrial cybersecurity
H2 2023 – A brief overviewof main incidentsin industrial cybersecurity
Andrey Prozorov
24 Great Cybersecurity Frameworks
24 Great Cybersecurity Frameworks
ENISA-EUROPA
SEGURIDAD DE TELECOMUNICACIONES
SEGURIDAD DE TELECOMUNICACIONES
Project Management Institute
Building Resilience Through Strategic Risk Management
Building Resilience Through Strategic Risk Management
DATA LOSS PREVENTION (DLP)
DATA LOSS PREVENTION (DLP)
AICSSolutions
Cybersecurity Red Team
Cybersecurity Red Team
cisco
Cyber Incident Response
Cyber Incident Response
CSR Cyber Security Council
EVERY BUSINESS HAS DUTIES OF CARE IN THE FIELD OF CYBER SECURITY
EVERY BUSINESS HAS DUTIES OF CARE IN THE FIELD OF CYBER SECURITY
SYBEX
Cybersecurity ESSENTIALS
Cybersecurity ESSENTIALS
Agency for Digital Government
Cyber security in supplier relation ships
Cyber security in supplier relation ships
RINKU
Curso de introducción KALI LINUX PARA HACKERS ÉTICOS
Curso de introducción KALI LINUX PARA HACKERS ÉTICOS
CNIL
PRACTICE GUIDE GDPR
PRACTICE GUIDE GDPR