OCR missed opportunities to prevent health information breaches: HHS watchdog

A government watchdog released a report Monday that accuses the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) of not taking appropriate steps to mitigate cybersecurity risks to healthcare organizations in the years leading up to an explosion of health data breaches.

The OCR wrote in 2023 that “there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware … Additionally, the large breaches reported this year [2023] have affected over 88 million individuals, a 60% increase from last year.” HHS’ Office of Inspector General (OIG) cited the quote in its report.

“OCR missed the opportunity to identify physical and technical deficiencies that should be remediated to reduce risks within the health care sector,” the OIG said.

The watchdog urges the OCR to add more data security benchmarks to its audits for compliance with the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA contains a Privacy Rule, a Security Rule and a Health Breach Notification Rule. Each rule aims to protect sensitive electronic health data and uphold the standards set out in the health data sharing legislation.

But in the OCR’s HIPAA compliance audits, the OIG says they are not adequately holding covered entities and their business associates accountable for known issues with privacy and security.

“OCR oversight of its HIPAA audits program likely was not effective at improving cybersecurity protections at entities,” the report said.

The OIG report scrutinized the OCR’s actions from January 2016 to December 2020, but the report focuses on audits completed in 2016-17, for which data are available. The OIG also reviewed OCR reports to Congress, OCR’s industry guidance and vendor contracts used for audits starting in 2016.

The OIG said that after 2017, the OCR has not completed a HIPAA compliance audit; and, as of 2020, the OCR had not issued data on its HIPAA audit frequency.

In the OCR’s report to Congress for calendar year 2022, which was issued in 2024, it said it did not initiate additional audits in 2022 because it lacked financial resources.

The OCR did not audit entities on enough benchmarks regarding the security of electronic protected health information (ePHI), the OIG said. It accused the office of only assessing eight of the 180 standards set out in HIPAA across privacy, security and health breach notification.

The OIG report found that the OCR did not perform additional compliance reviews when the office identified concerns with privacy and security practices from a voluntary audit.

Out of 70 healthcare organizations that had “serious compliance issues,” the OCR completed additional compliance reviews for three of them during phase 2 of its audit program, the report said.

“Because of their narrow scope, the HIPAA audits most likely did not identify entities, such as hospitals that did not implement the physical and technical safeguards defined in the Security Rule to protect ePHI against common cybersecurity threats,” the watchdog said in the report.

The OIG recommended that the OCR “expand the scope of audits to include physical and technical security safeguards” and “document and implement standards and guidance so deficiencies in covered entities standards are corrected quickly.” It also recommends that the OCR “define and document criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review” and “define metrics for monitoring the effectiveness of OCR's HIPAA audits at improving audited entities' protections over ePHI and periodically review whether these metrics should be refined.”

In its formal response to the OIG, the OCR agreed with most of the recommendations, including auditing covered entities for more physical and technical security safeguards. However, it pushed back on the OIG’s recommendation to assure security problems are corrected, saying that noncompliant entities can choose to pay a fine or take remedial action.

Moreover, the purpose of HIPAA audits is for technical assistance, rather than enforcement, the OCR said. Forcing covered entities to take remedial steps would jeopardize voluntary HIPAA compliance audits, it explained in response to the report.

“As you are aware and has been reported in OCR's Budget request since 2009, OCR has operated on a small budget, even though OCR has submitted significant requests for additional resources to implement and enforce the HIPAA Rules, including audits,” OCR Director Melanie Fontes Rainer wrote in response to the OIG’s report. “The lack of receipt of these requested additional resources has resulted in less staff and investigators to conduct HIPAA audits more frequently, larger scale, or in greater number due to a lack of sufficient funding to conduct all needed operational activities.” 

Rainer said the OCR had 60 investigative staff in 2022, an all-time low, while health breach notification complaints reached 51,779 complaints, an all-time high.

The OCR has sought additional authority from Congress to seek injunctive relief for noncompliance with the HIPAA rules.