The Office for Civil Rights Should Enhance Its HIPAA Audit Program to Enforce HIPAA Requirements and Improve the Protection of Electronic Protected Health Information

Posted on November 26, 2024 by Dissent

Issued on 11/21/2024 | Posted on 11/25/2024 | Report number: A-18-21-08014

To cut to the chase:

What OIG Found

OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits. However:

OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess ePHI protections and demonstrate a reduction of risks within the health care sector. Specifically:

OCR’s audits consisted of assessing only 8 of 180 HIPAA Rules requirements; and

only 2 of those 8 requirements were related to Security Rule administrative safeguards and none were related to physical and technical security safeguards.

OCR oversight of its HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates.

The full report:

Category: Commentaries and AnalysesHealth DataHIPAAOf Note