Healthcare , Industry Specific , Standards, Regulations & Compliance
They're Back: HHS OCR Plans to Resurrect Random HIPAA Audits
Agency Is Surveying 207 Previously Audited Firms to Prepare for Next Audit CycleAs U.S. federal regulators fine-tune a strategy to push the healthcare sector into strengthening its cybersecurity posture, they are dusting off a HIPAA compliance audit program that's been dormant for the last seven years. A new round of HIPAA audits for regulated entities is in the works.
See Also: Improving Security and Productivity Across the Identity Ecosystem
The last time the Department of Health and Human Services audited a healthcare organization was 2017. News of the agency resurrecting the program came as a shock.
"This issue is significant," said regulatory attorney Paul Hales of the Hales Law Group. "Neither covered entities nor business associates expect a federal audit of their HIPAA compliance."
The Department of Health and Human Services on Monday published in the Federal Register a notice saying that its Office for Civil Rights would be pulling the trigger soon on a study to assess its HIPAA compliance audit program, which was last used in 2017.
HHS OCR officials on Wednesday confirmed to Information Security Media Group that new HIPAA audits are indeed on the way. "OCR intends to initiate audits of HIPAA-regulated entities later this year. These audits can assist regulated entities in improving their HIPAA compliance and their protection of health information," said Melanie Fontes Rainer, OCR director.*
The audits also will evaluate regulated entities' compliance with potential changes to the HIPAA Security Rule that the agency is planning for this year.
"Any future potential changes to the HIPAA Security Rule will be incorporated into future audits," an HHS OCR spokesperson told Information Security Media Group. "OCR intends to initiate new audits of HIPAA-regulated entities' compliance with the HIPAA rules, and this information will assist OCR in its future audits."
In its public notice, HHS OCR said it would conduct a 39-question online survey of 207 covered entities and business associates that participated in the agency's 2016-2017 HIPAA audits.
"The survey will gather information relating to the effect of the audits on the audited entities and the entities' opinions about the audit process," HHS OCR said.
The agency said it is conducting a review of the 2016-2017 HIPAA audits to determine how effective they are at assessing the HIPAA compliance efforts of covered entities.
As part of the review, the online survey will be used to measure the effect of the 2016-2017 HIPAA audits on covered entities' and business associates' subsequent actions to comply with the HIPAA rules, the agency said.
The surveys also will give organizations an opportunity to offer feedback on the audits and its features, "such as the helpfulness of HHS' guidance materials and communications, the utility of the online submission portal, whether the audit helped improve entity compliance, and the entities' responses to the audit-report findings and recommendations," HHS OCR said.
The agency said it also will review the surveys to gain better insight into the "burden" imposed on entities to collect audit-related documents and respond to audit-related requests as well as the effect on the organizations' day-to-day operations.
HHS OCR was mandated to conduct HIPAA audits under the HITECH Act of 2009, but the effort was slow to take off.
The agency hired outside contractors that helped develop a variety of different audit protocols, which HHS OCR publicly published in advance of the audits. HHS OCR used those protocols in a couple of rounds of pilot audits, starting in 2011, but the audits fizzled out in 2017 - including on-site audits and remote "desk audits."
Between 2016 and 2017, in its most recent round of compliance audits, HHS OCR reviewed a little over 200 covered entities and business associates through remote audits.
In December 2020, HHS OCR finally issued a report on its findings from the HIPAA compliance audit program conducted in 2016 and 2017 that illustrates the shortcomings of covered entities and business associates that were chosen for reviews (see: At Last, Results of HIPAA Compliance Audit Program Revealed).
The shortcomings spotlighted in the report are still common today, including the failure to conduct a security risk analysis and to give patients access to their records.
But since the completion of the 2016-2017 audits and the release of the report in 2020, HHS OCR has not focused on or mentioned HIPAA audits as part of its ongoing enforcement plans.
Big Surprise?
The resurgence of the HIPAA audit program took some seasoned HIPAA experts by surprise.
Hales said, "For 15 years, HHS has violated the HITECH Act because it has not conducted annual periodic audits of HIPAA Privacy and Security Rule compliance by covered entities and business associates or submitted findings of those audits to the Senate and House committees named in the law."
Hales said the fact that OCR had only "dipped its toe in the water by conducting phase 1 and 2 audits and establishing 180 audit protocols" sent the wrong message to the industry.
"That underscores the problem. HIPAA-regulated entities do not fear HIPAA compliance enforcement. Consequently, they consider HIPAA compliance less urgent than other day-to-day matters, and patient privacy is at an unnecessarily high risk."
The audit program had a significant impact on raising the visibility of compliance issues, and the threat of audits caused many organizations to assess and improve their compliance programs, said privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
Since the audits petered out several year ago, "much of OCR's compliance efforts have been focused on its 'right of access' initiative, but we're seeing a bit less action on that front," Greene said. "OCR may have more bandwidth to start up phase 3 of the audit program and make it a more permanent part of its compliance and enforcement efforts," he said.
Still, while HHS OCR's survey indicates that the agency is interested in restarting the audit program, "it may be some time - a year or more - before a new phase of the program kicks off," Greene said.
In the last round of audits, the agency for the most part selected a random variety of covered entities and business associates. That method might be best if the agency decides to resume its audit program, Greene said.
"A random, stratified approach makes sense, where it is mostly random but OCR tries to create a representative sample from across the healthcare sector," he said. "OCR would benefit from greater visibility into entities that are not reporting breaches."
Hales said the findings of HHS OCR's last round of audits were "appalling."
The audit covered only seven topics, "and all CEs and BAs knew they were on the shortlist for audit and knew the questions in advance," Hales said. HHS OCR published its audit protocols in advance of the audits.
"Nevertheless, 86% of covered entities and 83% of business associates failed the risk analysis audit, and 94% of CEs and 88% of BAs failed the risk management audit," Hales said.
"A nationwide periodic audit of HIPAA compliance is a big, resource-heavy job," he said. "In this climate, HHS will not likely get additional funding from Congress. However, it consistently overlooks a funding source - proceeds from civil money penalties available through the HIPAA enforcement rule," he said.
The HIPAA audits - and the planned potential update to the HIPAA security rule - help round out HHS' evolving strategy to push healthcare sector entities into implementing stronger cybersecurity programs. "Future audits will continue to provide insight into how regulated entities are implementing the requirements of the HIPAA Rules," HHS OCR told ISMG (see: HHS Details New Cyber Performance Goals for Health Sector).
*Feb. 14, 2023 UTC 17:26: Updated to incorporate HHS OCR's confirmation of its HIPAA audit plans and a statement from the agency's director.