The U.S. Department of Health and Human Services is meeting the minimum requirements for auditing health organizations' data privacy practices, but a recent report shows there's more work to be done to protect patient data.
Cyberattacks on healthcare providers and vendors have increased in recent years, often exposing sensitive patient information. HIPAA requires healthcare organizations to protect patients' electronic health data, implement safeguards, and notify patients if their information is breached. The HHS Office for Civil Rights is responsible for enforcing these rules.
The HHS Office of Inspector General reviewed the OCR's health data privacy audits from 2016 to 2020. While the audits assessed some aspects of data protection, the investigations in 2016 and 2017 only looked at 8 of the 180 required HIPAA standards. Since 2017, no further audits have been conducted.
The November report also found that the OCR lacked a process for following up on audit findings and didn't have clear guidelines for when audits should lead to further compliance reviews.
The report recommends that the OCR broaden its audits, set standards to ensure audit findings are addressed, and establish clear metrics to track how well audits improve data protection.
The OCR agreed with most of the recommendations but said its small budget has made it difficult to improve the audit program. The office also pointed to Congress' failure to provide additional funding to support these efforts.