The Office for Civil Rights Should Enhance Its HIPAA Audit Program to Enforce HIPAA Requirements and Improve the Protection of Electronic Protected Health Information

Posted on by Dissent

Issued on  | Posted on  | Report number: A-18-21-08014

To cut to the chase:

What OIG Found

OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits. However:

  • OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess ePHI protections and demonstrate a reduction of risks within the health care sector. Specifically:
    • OCR’s audits consisted of assessing only 8 of 180 HIPAA Rules requirements; and
    • only 2 of those 8 requirements were related to Security Rule administrative safeguards and none were related to physical and technical security safeguards.
  • OCR oversight of its HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates.

The full report:

A-18-21-08014

Related posts:

Category: Commentaries and AnalysesHealth DataHIPAAOf Note