Google partners
Capline Healthcare Management
Menu
Schedule a call

OIG Report Calls for Enhancements to HIPAA Audit Program

On a comprehensive examination, the Office of Inspector General has directed the reforms to the audit program of the Office for Civil Rights in the Department of Health and Human Services as required under the Health Insurance Portability and Accountability Act. The report sums up findings regarding the program’s lack of efficient security measures for ePHI electronic protected health information. The statistics here have shown an increase of 239% in hacking breaches between the years 2018 and 2023.

OIG’s analysis reveals that OCR’s last audits, conducted in 2017, covered an extremely limited scope of the HIPAA requirements, which barely touched on Security Rule administrative safeguards and failed to cover physical and technical safeguards, for example, encryption and ransomware protections. In addition, OCR did not implement corrective actions upon deficiencies or track audit outcomes, thus making the program less effective.

OIG proposed four key recommendations:

  • Expand audit scope to embrace both physical and technical safeguards.
  • Enforce standards for corrective actions on identified deficiencies.
  • Criteria should be established for commencing compliance reviews for egregious violations.
  • Define metrics to evaluate audit effectiveness in improving cybersecurity.

While OCR agreed with most recommendations, it noted that resources are limited and that HIPAA audits are voluntary, focusing on providing technical assistance rather than on mandatory corrections.

These findings highlight the need for health organizations to have strong cybersecurity. OIG’s report might motivate OCR to boost enforcement activities and expand audit scopes with heightened scrutiny toward covered entities and business associates.

Healthcare organizations should strengthen protections for ePHI, undertake risk audits that consider all aspects, and remediate weaknesses in administrative, physical, and technical safeguards. To keep ahead of the curve, vigilance regarding changes to OCR audit protocols and being prepared for potential enforcement will be crucial in protecting sensitive patient information and remaining compliant.

For further information on the recommendations made and their meanings, please refer to the OIG’s complete report entitled “A-18-21-08014”.

 

 


Powered by


No, thank you. I do not want.
100% secure your website.