Issued on | Posted on | Report number: A-18-21-08014
To cut to the chase:
What OIG Found
OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits. However:
- OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess ePHI protections and demonstrate a reduction of risks within the health care sector. Specifically:
- OCR’s audits consisted of assessing only 8 of 180 HIPAA Rules requirements; and
- only 2 of those 8 requirements were related to Security Rule administrative safeguards and none were related to physical and technical security safeguards.
- OCR oversight of its HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates.
The full report:
A-18-21-08014