What Happened to HIPAA Audits?
The HITECH Act dictates that HHS perform periodic audits of healthcare organizations to assess their compliance with HIPAA law. However, no such investigation has occurred since 2018.
Although the 2019 and 2020 reports to Congress mentioned preparations for criteria for implementing future audits, the 2021 report mentioned that it is still under development.
Unlike previous years, both reports noted that “OCR did not initiate any audits in 2021 due to a lack of financial resources.”
Keeping Up with Growing Need for OCR Enforcement
Although the OCR has suffered from a lack of resources in recent years, which resulted in less enforcement action, the investigations aren’t going away. If anything, the increase in patient complaints and healthcare breaches has pointed to the need to ramp up enforcement efforts.
In a press release published on February 27, 2023, OCR, announced the formation of a new Enforcement Division, Policy Division, and Strategic Planning Division.
OCR Director Melanie Fontes Rainer stated, “OCR’s caseload has multiplied in recent years, increasing to over 51,000 complaints in 2022– an increase of 69 percent between 2017 and 2022 – with 27 percent alleged violations of civil rights, 7 percent alleged violations of conscience/religious freedom, and 66 percent alleged violations of health information privacy and security laws.”
“Breaches of unsecured protected health information (PHI), including electronic PHI, reported to OCR affecting 500 or more individuals (large breaches) increased from 663 large breaches in 2020 to 714 large breaches in 2021. This trend is continuing and to date, hacking accounts for 80 percent of the large breaches OCR has received.”
“Today’s reorganization improves OCR’s ability to effectively respond to complaints, puts OCR in line with its peers’ structure and moves OCR into the future. This structure will enable OCR staff to leverage its deep expertise and skills to ensure that we are protecting individuals under the range of federal laws that we are tasked with enforcing.”
OCR will rename the Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC) to reflect their work and role in cybersecurity. HIPDC will continue to meet the growing demands to address health information privacy and cyber security concerns, stated the HHS release.