As Cyberattacks targeting the health care sector have continued to intensify over the past year, including ransomware attacks that have resulted in major data breaches impacting health care organizations, the protection of health data has gained the focus of regulators and prompted bipartisan legislative efforts to strengthen cybersecurity requirements in the health care sector.
OIG Report on OCR’s HIPAA Audit Program
Under the Health Information Technology for Economic and Clinical Health Act (HITECH), the HHS Office for Civil Rights (OCR) is required to perform periodic audits of covered entities and business associates (collectively, Regulated Entities) to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules (collectively, “HIPAA Rules”).
Last month, the HHS Office of Inspector General (OIG) released a new report assessing OCR’s HIPAA audit program, raising concerns about the effectiveness of current oversight and the need for enhanced measures to address growing cybersecurity risks in the sector. In its assessment of OCR’s HIPAA audit program, OIG reviewed OCR’s final HIPAA audit reports of Regulated Entities, guidance, and enforcement activities from January 2016 to December 2020.
Although OIG found that OCR fulfilled its obligations under HITECH to conduct periodic audits of Regulated Entities, the report also highlighted several critical issues. First, OCR’s HIPAA audits of Regulated Entities were found to be narrowly scoped, covering only a small fraction of the required protections under the HIPAA Rules. Of the 180 requirements in the HIPAA Rules, OCR’s audits assessed only eight requirements – two Security Rule administrative safeguards (Risk Analysis and Risk Management), three Privacy Rule provisions (Notice of Privacy Practices and Content Requirements, Provision of Notice, and Right of Access), three Breach Notification Rule provisions (Timeliness of Notification, Content of Notification, and Notification by a Business Associate), and zero physical or technical safeguard requirements under the Security Rule.
Second, OIG found that OCR’s HIPAA audit program did not effectively address compliance issues discovered during these narrowly scoped audits of Regulated Entities. For example, OIG highlighted the absence of corrective action requirements following audits that raised concerns about the program’s ability to drive improvements in cybersecurity protections following audits of Regulated Entities.
In response to these findings, OIG made several recommendations to OCR, including:
- Expanding the scope of HIPAA audits to assess Regulated Entities’ compliance with physical and technical safeguards under the Security Rule;
- Implementing standards and guidance to ensure deficiencies identified during HIPAA audits are corrected in a timely manner;
- Establishing criteria for determining when issues discovered during audits should lead to the initiation of a compliance review; and
- Defining metrics for monitoring the effectiveness of OCR’s HIPAA audit program in improving audited Regulated Entities’ protections of electronic PHI.
Recent Regulatory and Legislative Efforts to Address Health care Cybersecurity
OIG’s report is timely and comes amid broader regulatory and bipartisan legislative efforts to strengthen cybersecurity protections across the health care sector, including:
- Proposed Regulatory Updates to the HIPAA Security Rule, issued by OCR on January 6, 2025. The proposed regulation is aimed at strengthening the existing requirements under HIPAA Security Standards for the Protection of Electronic Health Information (the “Proposed Rule”), including addressing deficiencies OCR states it has observed during investigations of Regulated Entities. Among other updates, the Proposed Rule eliminates the distinction between “required” and “addressable” specifications (a change OCR says reflects its current view that all specifications in the existing Security Rule are effectively required) and expands existing documentation requirements. The comment period for the Proposed Rule closes on March 7, 2025.
- Health Infrastructure Security and Accountability Act of 2024 (5218) (HISAA), a bipartisan bill introduced by Senators Ron Wyden and Mark Warner. For information about this bill, visit our recent blog post summarizing HISAA’s key provisions.
- Health Care Cybersecurity and Resiliency Act of 2024 (5390), a bipartisan bill introduced by Senators Bill Cassidy, Mark Warner, John Cornyn and Maggie Hassan. The legislation aims to modernize HIPAA to better address cybersecurity threats facing health care entities. Key provisions include the development of a cybersecurity incident response plan by HHS and the creation of training programs for health care workers in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA).
- Healthcare Cybersecurity Improvement Act (R.10455), introduced by Representative Robin Kelly. If passed, the bill would require hospitals to establish basic cybersecurity standards as a Medicare Condition of Participation. It would also allocate $100 million in grants to small and medium-sized hospitals to enhance cybersecurity measures and create liability protection for larger health care systems that provide smaller health care organizations access to cybersecurity resources.
Takeaways
The OIG’s findings, along with regulatory and bipartisan legislative efforts, highlight that Covered Entities and Business Associates will face increased scrutiny of their cybersecurity practices. In particular, OCR’s HIPAA audit program may expand in scope in response to OIG’s report and in light of the Proposed Rule, with a greater focus on evaluating technical and physical safeguards under the Security Rule. In addition, new legislative measures, if passed, will impose more stringent cybersecurity requirements across the health care sector.
As organizations grapple with the potential increase in oversight and regulatory obligations, it is important to note, as we highlighted in our previous post, the HITECH safe harbor that requires the Secretary of HHS to consider a Regulated Entity’s adoption of “recognized cybersecurity practices” in making determinations related to fines, audits, and mitigation remedies. Now more than ever, it is essential for healthcare organizations to ensure they have established and implemented a recognized cybersecurity framework. Organizations that have not yet effectively assessed and documented their current practices, particularly with respect to technical and physical safeguards, should consider doing so.