web analytics

They’re Back? HHS OCR Is Eyeing the Return of HIPAA Audits – Source: www.databreachtoday.com

Rate this post

Source: www.databreachtoday.com – Author: 1

Healthcare
,
Industry Specific
,
Standards, Regulations & Compliance

The Agency Is Surveying Previous Auditees to Reassess the Dormant Program

Marianne Kolbasuk McGee (HealthInfoSec) •
February 13, 2024    

They're Back? HHS OCR Is Eyeing the Return of HIPAA Audits
Federal regulators are hinting that HIPAA compliance audits could be making a comeback after a seven-year hiatus. (Image: Getty)

As U.S. federal regulators fine-tune a strategy to push the healthcare sector into a stronger cybersecurity posture, they appear to be planning to dust off a HIPAA compliance audit program that’s been dormant for years.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

The last time the Department of Health and Human Services audited a healthcare organization was 2017. News of the agency potentially resurrecting the program came as a shock.

“This issue is significant,” said regulatory attorney Paul Hales of the Hales Law Group. “Neither covered entities nor business associates expect a federal audit of their HIPAA compliance.”

The Department of Health and Human Services on Monday published in the Federal Register a notice saying that its Office for Civil Rights would be pulling the trigger soon on a study to assess its HIPAA compliance audit program, which was last used in 2017.

HHS OCR said it would conduct a 39-question online survey of 207 covered entities and business associates that participated in the agency’s 2016-2017 HIPAA audits.

“The survey will gather information relating to the effect of the audits on the audited entities and the entities’ opinions about the audit process,” HHS OCR said.

The agency said it is conducting a review of the 2016-2017 HIPAA audits to determine how effective they are at assessing the HIPAA compliance efforts of covered entities.

As part of the review, the online survey will be used to measure the effect of the 2016-2017 HIPAA audits on covered entities’ and business associates’ subsequent actions to comply with the HIPAA rules, the agency said.

The surveys also will provide entities with an opportunity to offer feedback on the audits and its features, “such as the helpfulness of HHS’ guidance materials and communications, the utility of the online submission portal, whether the audit helped improve entity compliance, and the entities’ responses to the audit-report findings and recommendations,” HHS OCR said.

The agency said it also would look at the surveys to gain better insight into the “burden” imposed on entities to collect audit-related documents and respond to audit-related requests as well as the effect on the organizations’ day-to-day operations.

HHS OCR was mandated to conduct HIPAA audits under the HITECH Act of 2009, but the effort was slow to take off.

The agency hired outside contractors that helped develop a variety of different audit protocols, which HHS OCR publicly published in advance of the audits. HHS OCR used those protocols in a couple of rounds of pilot audits, starting in 2011, but the audits fizzled out in 2017 – including on-site audits and remote “desk audits.”

Between 2016 and 2017, in its most recent round of compliance audits, HHS OCR reviewed a little over 200 covered entities and business associates through remote audits.

In December 2020, HHS OCR finally issued a report on its findings from the HIPAA compliance audit program conducted in 2016 and 2017 that illustrates the shortcomings of covered entities and business associates that were chosen for reviews (see: At Last, Results of HIPAA Compliance Audit Program Revealed).

The shortcomings spotlighted in the report are still common today, including the failure to conduct a security risk analysis and to give patients access to their records.

But since the completion of the 2016-2017 audits and the release of the report in 2020, HHS OCR has not focused on or mentioned HIPAA audits as part of its ongoing enforcement plans.

Big Surprise?

The resurgence of the HIPAA audit program took some seasoned HIPAA experts by surprise.

Hales said, “For 15 years, HHS has violated the HITECH Act because it has not conducted annual periodic audits of HIPAA Privacy and Security Rule compliance by covered entities and business associates or submitted findings of those audits to the Senate and House committees named in the law.”

Hales said the fact that OCR had only “dipped its toe in the water by conducting phase 1 and 2 audits and establishing 180 audit protocols” sent the wrong message to the industry.

“That underscores the problem. HIPAA-regulated entities do not fear HIPAA compliance enforcement. Consequently, they consider HIPAA compliance less urgent than other day-to-day matters, and patient privacy is at an unnecessarily high risk.”

The audit program had a significant impact on raising the visibility of compliance issues, and the threat of audits caused many organizations to assess and improve their compliance programs, said privacy attorney Adam Greene of the law firm Davis Wright Tremaine.

Since the audits petered out several year ago, “much of OCR’s compliance efforts have been focused on its ‘right of access’ initiative, but we’re seeing a bit less action on that front,” Greene said. “OCR may have more bandwidth to start up phase 3 of the audit program and make it a more permanent part of its compliance and enforcement efforts,” he said.

Still, while HHS OCR’s survey indicates that the agency is interested in restarting the audit program, “it may be some time – a year or more – before a new phase of the program kicks off,” Greene said.

In the last round of audits, the agency for the most part selected a random variety of covered entities and business associates. That method might be best if the agency decides to resume its audit program, Greene said.

“A random, stratified approach makes sense, where it is mostly random but OCR tries to create a representative sample from across the healthcare sector,” he said. “OCR would benefit from greater visibility into entities that are not reporting breaches.”

Hales said the findings of HHS OCR’s last round of audits were “appalling.”

The audit covered only seven topics, “and all CEs and BAs knew they were on the shortlist for audit and knew the questions in advance,” Hales said. HHS OCR published its audit protocols in advance of the audits.

“Nevertheless, 86% of covered entities and 83% of business associates failed the risk analysis audit, and 94% of CEs and 88% of BAs failed the risk management audit,” Hales said.

“A nationwide periodic audit of HIPAA compliance is a big, resource-heavy job,” he said. “In this climate, HHS will not likely get additional funding from Congress. However, it consistently overlooks a funding source – proceeds from civil money penalties available through the HIPAA enforcement rule,” he said.

HHS OCR did not immediately respond to Information Security Media Group’s request for additional details about its HIPAA audit plans and whether the audits would be used to help round out HHS’ evolving strategy to push healthcare sector entities into implementing stronger cybersecurity programs (see: HHS Details New Cyber Performance Goals for Health Sector).

Original Post url: https://www.databreachtoday.com/theyre-back-hhs-ocr-eyeing-return-hipaa-audits-a-24353

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post