HIPAA Audits Coming
The Office of Civil Rights (OCR) in the HHS Department has announced that they will resume audits of employers who are covered by HIPAA. The primary driver is data security (see first bullet below). The healthcare sector has become a prime target for the malefactors. According to OCR, many organizations do not comply adequately with the HIPAA Security Rule. In their settlements with victimized employers, OCR has found the following compliance failures:
OCR reported in March 2024 that there has been a 256% increase in large data breaches involving hacking and a 264% increase in ransomware attacks over the past five years. A major cause is failure to conduct accurate and thorough risk assessments: Many entities have not performed accurate or comprehensive security risk analyses, leaving them vulnerable to known risks.
Insufficient monitoring of information systems: OCR has pointed out the lack of policies and procedures required under the Security Rule to log and monitor information systems for suspicious activity.
Inadequate safeguards to mitigate risks: Even when entities are aware of the risks posed by cyberattacks, many fail to implement sufficient measures to protect electronic protected health information (ePHI).
Overall noncompliance with the Security Rule: OCR has found a general lack of adherence to the requirements of the Security Rule, particularly regarding policies, procedures, and employee training.
Penalties have been in the hundreds of thousands of dollars, and the cost of bringing systems into compliance is considerable, including the time needed to effect any mandated changes.
The non-financial preventative steps employers can take usually include some or all of the following:
Conduct a comprehensive and thorough Security Risk Analysis and develop an enterprise-wide Risk Management Plan;
Review, develop, and revise all Privacy and Security Rule policies and procedures;
Develop and implement an effective workforce training program on all such policies and procedures; and
Review all vendor and third-party provider relationships to identify business associates and ensure all appropriate agreements are in place.