Andrea Fox of HealthcareNewsIT (https://www.healthcareitnews.com/) reported on November 27, 2024, that OCR HIPAA enforcement is relatively lite. When OCR (Office of Civil Rights) had identified serious compliance issues including discovery of security flaws, followup was rare according to the HHS inspector general’s (OIG) audit program review. The OIG review reviewed records from January 2016 through December 2020. The Office of Civil Rights could have initiated follow-up after discovering security flaws, but “rarely initiated these reviews when it identified serious compliance issues,” according to the HHS inspector general’s audit program review.
“While OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits, OCR oversight of its HIPAA audits program likely was not effective at improving cybersecurity protections at entities,” OIG said in its findings. … “However, assessing two administrative security requirements is generally not sufficient to assess the risk within the healthcare sector and to determine the effectiveness of the [electronic protected health information] security protections that should be in place, as required by the [HIPAA] Security Rule,” OIG said.
After evaluating OCR’s program for performing periodic HIPAA audits, OIG recommended expanding the scope to better execute on HITECH Act of 2009 requirements, which extended criminal and civil penalties to business associates of covered entities.
Read the article at this link:
https://www.healthcareitnews.com/news/ocrs-hipaa-audit-program-lacked-mettle-oig-says