HHS Inspector General calls out OCR for inadequate HIPAA enforcement

The HHS Inspector General raised concerns about OCR's shortcomings in enforcing HIPAA, pointing to inadequate audits contributing to the increase in health data breaches.

What happened

The Department of Health and Human Services (HHS) Office of Inspector General (OIG) released a report accusing the Office for Civil Rights (OCR) of failing to take effective measures to reduce cybersecurity risks in healthcare. The OIG claims that inadequate HIPAA compliance audits contributed to a surge in health data breaches, impacting millions of individuals.

Going deeper

The Office for Civil Rights (OCR) was criticized by the Office of Inspector General (OIG) for its narrow audit scope, which reviewed only 8 out of HIPAA's 180 standards related to privacy, security, and breach notification. The OIG also noted a lack of follow-up compliance reviews for entities with serious deficiencies. For instance, only 3 of the 70 entities flagged for compliance issues received further review during the second phase of OCR's audit program.

OCR audits primarily focus on providing technical assistance rather than enforcing compliance, which the OIG deemed inadequate. To address this, the OIG recommended broadening the audits to cover more physical and technical security safeguards, ensuring prompt correction of deficiencies, and developing metrics to measure audit effectiveness.

In the know

Between 2016 and 2020, the Office of Inspector General (OIG) reviewed the Office for Civil Rights (OCR) HIPAA compliance audits and found that the 2016-17 audits lacked clear benchmarks. The OIG also pointed to rising risks, with OCR’s 2023 data showing a 239% increase in hacking-related large breaches and a 278% rise in ransomware incidents since 2020. These breaches affected over 88 million individuals in 2023, a 60% increase compared to the previous year.

The report also noted OCR’s resource limitations. Since 2009, OCR has dealt with tight budgets and fewer staff. By 2022, its investigative team had shrunk to 60 staff members, the lowest recorded, despite handling a record 51,779 health breach complaints that year.

What was said

The OIG called for stricter oversight, urging OCR to refine its audit process and ensure non-compliant entities address their deficiencies. It is also recommended that additional compliance reviews be used when audits identify serious issues.

In its response, OCR agreed with most recommendations, including expanding audit benchmarks. However, it resisted requiring remedial actions, arguing that enforcing corrections might discourage voluntary audit participation. 

Why it matters

The OIG’s findings point to audit gaps that leave ePHI vulnerable and stress the need for stronger oversight to ensure accountability. Limited resources and enforcement tools restrict OCR’s ability to prevent health data breaches, posing serious risks to the privacy and security of millions of patients.

Lessons learned

• Expand what’s audited: The OCR’s audits barely scratched the surface, reviewing only 8 of HIPAA’s 180 standards. Including overlooked areas like technical safeguards or physical access controls could help detect weak points that lead to breaches, such as unencrypted devices or lax access policies. For example, focusing more on how organizations handle offsite backups could prevent data loss during ransomware attacks.
• Enforce real consequences: It’s clear that a lack of follow-up on flagged issues undermines the audit process. Of the 70 entities found with major deficiencies, only 3 received additional review. A system for ensuring flagged organizations make tangible improvements would signal that compliance isn’t optional and could reduce repeat violations.
• Tackle resource shortages: The Office for Civil Rights (OCR) is limited in its ability to take action due to a shrinking team and static funding. Handling over 51,000 complaints in 2022 with just 60 investigators was a difficult task. Increasing staff and budget would directly improve its ability to investigate breaches and follow through on flagged issues, reducing the backlog and enabling quicker action on rising threats.
• Be proactive, not reactive: Healthcare organizations shouldn’t wait for OCR audits to identify weaknesses. Relying solely on post-breach reviews means problems often go unaddressed until it’s too late. Conducting regular internal checks on data encryption, employee access controls, and incident response plans could catch and resolve issues early before they result in costly breaches.
• Invest in smarter solutions: Simple issues like weak encryption or outdated software are still common causes of breaches. Tools that integrate encryption and access monitoring into daily operations can make compliance easier and less reliant on staff remembering every security protocol. Solutions like secure email platforms and automated monitoring systems would provide immediate benefits without requiring massive operational changes.
• Keep staff informed: Cyber threats change quickly, and outdated training leaves healthcare staff vulnerable. Regular, specific training sessions—for example, how to spot phishing emails or secure mobile devices—would help organizations address vulnerabilities tied directly to human error, which remains a leading cause of data breaches.

FAQs

What are HIPAA audits?

HIPAA audits are evaluations of healthcare organizations to ensure they comply with HIPAA rules for protecting electronic health information. These audits focus on privacy, security, and breach notification standards.

What is OCR?

The Office for Civil Rights (OCR) is part of the Department of Health and Human Services (HHS). It enforces HIPAA regulations to protect the privacy and security of health data and investigates complaints about health information breaches.

What is OIG?

The Office of Inspector General (OIG) is an independent oversight agency within HHS. It monitors and evaluates HHS programs, including OCR’s HIPAA enforcement, to improve effectiveness and prevent misuse of resources.

What is HHS?

The Department of Health and Human Services (HHS) is a federal agency that oversees public health programs and enforces HIPAA. It works to protect health data privacy and improve healthcare systems across the US.

What is ePHI?

Electronic protected health information (ePHI) includes any health information stored, sent, or received electronically, such as medical records and billing data. HIPAA requires strict protections for this data to ensure privacy and security.