OIG Audit Reveals Gaps in OCR’s HIPAA Audit Program
Alliance Daily
On November 25, 2024, the U.S. Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) published findings from an audit of the Office for Civil Rights’ (OCR) HIPAA Audit Program. The report highlights significant shortcomings in OCR’s implementation and oversight of the program, raising concerns about the protection of electronic protected health information (ePHI) in the face of escalating cyber threats.
The healthcare industry has experienced an alarming rise in cyberattacks, including ransomware and data breaches, in recent years. According to OCR’s annual reports, reported breaches affecting 500 or more individuals increased by 87% between 2016 and 2022. In 2023 alone, hacking incidents accounted for 77% of reported breaches, exposing the data of over 88 million individuals. These attacks can jeopardize sensitive health information, disrupt operations, and pose risks to patient care and safety. For example, a recent data breach involving a subcontractor for the Centers for Medicare & Medicaid Services (CMS) potentially exposed the personal and health information of over 900,000 Medicare beneficiaries, highlighting the vulnerability these data breaches pose to ePHI privacy protections.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required HHS to establish national standards for the use and dissemination of healthcare information, including for the protection of ePHI. The Health Information Technology for Economic and Clinical Health (HITECH) Act required, among other things, HHS to perform periodic audits, known as HIPAA audits, of covered entities and business associates to ensure compliance with HIPAA requirements. These audits, conducted through OCR’s HIPAA Audit Program, aim to ensure compliance with HIPAA rules, particularly amid rising cybersecurity risks in the healthcare sector.
The OIG reviewed OCR’s administration of its HIPAA Audit Program from January 16 to December 2020, which included an examination of 30 of the 207 final HIPAA audit reports and related documents produced by the agency during that period. The OIG found that although OCR fulfilled its requirement to perform HIPAA audits pursuant to the HITECH Act, these audits were limited in scope, and coupled with a lack of follow-up on serious compliance issues, raised questions about the program’s efficacy.
The OIG noted the following in its report:
- Inadequate Audit Scope: The OIG observed that in 2016 and 2017, OCR’s HIPAA Audit Program conducted desk audits of selected entities, assessing only 8 of the 180 requirements outlined in its comprehensive audit protocol, with a focus on only two Security Rule administrative safeguards and no evaluation of physical or technical security safeguards. The OIG noted that although these safeguards were identified as risk areas in a 2012 OCR audit, the assessment of these two safeguards alone is insufficient to assess security risks within the healthcare sector and determine ePHI protection effectiveness. Moreover, the OIG found that due to the HIPAA audits’ limited scope, they likely failed to identify entities that had not implemented the physical and technical safeguards indicated in the HIPAA Security Rule to protect ePHI from common cybersecurity threats.
- Insufficient Oversight and Follow-Up: The OIG found that OCR’s oversight of its HIPAA Audit Program was not likely to effectively improve covered entities’ cybersecurity protections. Particularly, the OIG found that OCR did not require entities to implement corrective actions for deficiencies identified during audits, raising concerns about the absence of any elements in OCR’s HIPAA audits program to address and monitor HIPAA Rules compliance. Further, OCR did not define how it would initiate compliance reviews for serious violations, resulting in potential missed opportunities to ensure its audit program was effective in helping protect ePHI information and improving entities’ cybersecurity threat preparedness.
- Resource Limitations and Audit Frequency: OCR cited financial and staffing constraints as barriers to expanding the audit scope and enforcing corrective actions, and although it has requested additional appropriations, these efforts have not been successful. Further, since 2017, OCR has not conducted any new HIPAA audits, potentially missing an opportunity to identify audited entities’ noncompliance with HIPAA rules.
The OIG issued several recommendations to OCR:
- Expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the Security Rule;
- document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner;
- define and document criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review; and
- define metrics for monitoring the effectiveness of OCR’s HIPAA audits at improving audited entities’ protections over ePHI and periodically review whether these metrics should be refined.
OCR concurred with the first, third, and fourth recommendations, agreeing to enhance audit scope (provided the agency receives appropriate funding) and focus future audits on a variety of factors, establish follow-up criteria, and develop program metrics. However, OCR did not concur with the second recommendation, citing limitations under the HITECH Act and concerns about deterring voluntary audit participation.[1]
The findings highlight a need for healthcare providers, including those delivering care in the home, to proactively address cybersecurity risks and strengthen HIPAA compliance efforts. As OCR addresses the report’s recommendations, healthcare providers must remain vigilant in their compliance efforts amid an evolving cybersecurity landscape.
[1] OCR indicated it has sought legislation from Congress to grant it authority to seek injunctive relief, allowing collaboration with the Department of Justice to pursue remedies in federal court to enforce compliance with HIPAA Rules. |
|
Keeping Referral Partners Happy After Dropping Contracts With Medicare Advantage Plans
Home Health Care News / By Audrie Martin Home health providers may walk away from specific health plans due to financial feasibility, administrative burdens, or misalignment with their patient care values and priorities. However, this decision can create short-term challenges with referral partners and health systems, as they may have patients enrolled in those plans. “If a health plan consistently under-reimburses for services or requires excessive administrative hurdles, it may compromise the ability to deliver quality care efficiently,” Preston Lucas, chief financial officer at Interim HealthCare Great Lakes, told Home Health Care News. “Additionally, if the plan’s policies restrict access to necessary treatments or fail to support the level of care required for patients, it becomes difficult to sustain the partnership.” Founded in 1966, Interim HealthCare provides home health care, personal care and support, hospice care and medical staffing services. The Sunrise, Florida-based franchise network comprises 320 individually owned and operated offices. Interim HealthCare Great Lakes operates in the Midwest and in Florida. Medicare Advantage (MA) plans often pay meager rates for home health services. Particularly as the Centers for Medicare & Medicaid Services (CMS) reduces traditional Medicare rates, that puts providers’ business sustainability in danger. Maintaining open lines of communication and emphasizing the shared goal of providing high-quality care helps mitigate the short-term consequences of leaving a health system, according to Lucas. By explaining the rationale – such as unsustainable reimbursement rates or obstacles to patient care – most partners understand the need for such decisions. Ultimately, prioritizing the best patient outcomes resonates with referral partners. “Transparency and collaboration are key,” Lucas said. “When communicating such decisions, engaging referral partners early in the process is important. This includes explaining the reasons behind the decision and offering supporting data. Above all, focusing on how the decision aligns with patient care priorities ensures the conversation remains constructive.” …
Read Full Article |
A Stroke Changed a Teacher's Life: How a New Electrical Device is Helping her Move
Miami Herald / By Michelle Marchante
As her students finished their online exam, Arlet Lara got up to make a cafe con leche.
Her 16-year-old son found her on the kitchen floor. First, he called Dad in a panic. Then 911.
"I had a stroke and my life made a 180-degree turn," Lara told the Miami Herald, recalling the medical scare she experienced in May 2020 in the early months of the COVID pandemic.
"The stroke affected my left side of the body," the North Miami woman and former high school math teacher said.
Lara, an avid runner and gym goer, couldn't even walk.
"It was hard," the 50-year-old mom said.
After years of rehabilitation therapy and foot surgery, Lara can walk again. But she still struggles with moving.
This summer, she became the first patient in South Florida to get an implant of a new and only FDA-approved nerve stimulation device designed to help ischemic stroke survivors regain movement in their arms and hands.
This first procedure was at Jackson Memorial Hospital in Miami. Lara's rehab was at the Christine E. Lynn Rehabilitation Center for The Miami Project to Cure Paralysis, part of a partnership between Jackson Health System and UHealth.
Every year, thousands in the United States have a stroke, with one occurring every 40 seconds, according to the U.S. Centers for Disease Control and Prevention. The majority of strokes are ischemic, often caused by blood clots that obstruct blood flow to the brain.
For survivors, most of whom are left with some level of disability, the Vivistim Paired VNS System, the device implanted in Lara's chest, could be a game changer in recovery, said Dr. Robert Starke, a UHealth neurosurgeon and interventional neuroradiologist. He also serves as co-director of endovascular neurosurgery at Jackson Memorial Hospital, part of Miami-Dade's public hospital system…
Read Full Article |
APTA has announced the newly elected or reelected members of the Board of Directors and officers, and of the Nominating Committee.
Elected or reelected to the Board:
- Kyle Covington, PT, DPT, PhD, was elected APTA president for a three-year term.
- Skye Donovan, PT, PhD, was elected APTA vice president for a three-year term.
- Robin L. Dole, PT, DPT, EdD, was elected vice speaker of the House of Delegates to complete the one-year unexpired term of Kyle Covington.
- Stefanie Bourassa, PT, DPT, and Jeff Jankowski, PT, DPT, ATC, were elected as directors, each for a three-year term.
- Jamie Dyson, PT, PhD, was elected a director to complete the two-year unexpired term of Skye Donovan.
- Kim Nixon-Cave, PT, PhD, MS, FAPTA, was reelected as a director for a three-year term.
- Patrick Esmonde, MSE, was appointed by the Board as the public member for a one-year term. Esmonde is co-founder of health tech startup company Vestibular First.
The APTA Board provides strategic direction for the organization and advocates on behalf of physical therapists, physical therapist assistants, students of physical therapy, and patients nationwide to advance the profession of physical therapy and improve the health of society.
Speaking on behalf of APTA, CEO Justin Moore, PT, DPT, said, “It is my honor to welcome our new and reelected members and officers of the APTA Board of Directors, while also extending heartfelt gratitude to our departing leaders who have devoted years to advancing the physical therapy profession. We are truly ‘better together.’ This Board and its officers bring diverse insights that are essential to helping APTA best support our members and the patients they serve. These individuals are exemplary leaders and dedicated champions for policies that benefit the physical therapy community. I look forward to seeing the meaningful work they will achieve during their service on the APTA Board.”
The remaining members and officers, who will join those above as the APTA 2025 Board of Directors, are:
- Secretary: Kip Schick, PT, DPT, MBA.
- Treasurer: Zoher Kapasi, PT, MSPT, PhD, MBA, FAPTA.
- Speaker of the House: William (Bill) McGehee Jr., PT, PhD.
- Director: Colleen Chancler, PT, PhD, MHS.
- Director: Carmen Cooper-Oguz, PT, DPT, MBA.
- Director: Heather Jennings, PT, DPT.
- Director: Craig Johnson, PT, MBA.
- Director: Kelley Kubota, PT, MS.
Current President Roger Herr, PT, MPA; Vice President Susan Appling, PT, DPT, PhD; Director Cindy Armstrong, PT, DPT; Director Dan Mills, PT, MPT; and Public Member Cris Massis, MBA, will roll off the APTA Board this December. “We are grateful to these outgoing leaders for their exceptional dedication and service to APTA and the profession. Their work leaves APTA stronger and well-positioned to continue building a community that is advancing the physical therapy profession,” Moore said.
Nominating Committee
Monique Caruth, PT, DPT, was elected to the Nominating Committee. She will begin a three-year term Jan. 1, 2025, joining the committee’s four other members:
- Ken Harwood, PT, PhD, FAPTA.
- Tracy Porter, PT, DPT, EdD.
- Jennifer Marie Ryan, PT, DPT MS.
- LaDarius (L.D.) Woods, PT, DPT, PhD.
Current committee member Stephanie Weyrauch, PT, DPT, will roll off the committee this December. “APTA appreciates Stephanie’s participation in the important work of the Nominating Committee to prepare the slate of candidates for national office,” Moore said. |
Trump Picks TV's Dr. Oz to Run Medicare and Medicaid
Reuters / By Ahmed Aboulenein
U.S. President-elect Donald Trump said on Tuesday that he had chosen television personality and surgeon Dr. Mehmet Oz to serve as administrator of the Centers for Medicare and Medicaid Services, a wide-reaching agency with annual spending of $2.6 trillion.
Trump, who endorsed Oz in his unsuccessful run in Pennsylvania for the U.S. Senate in 2022, said he would work closely with Robert F. Kennedy Jr., who was nominated to lead the Department of Health and Human Services.
Oz said in a post on social media website X he was looking forward "to serving my country to Make America Healthy Again under" Kennedy's leadership.
Trump said the pair would take on "the illness industrial complex, and all the horrible chronic diseases left in its wake" as well as cutting what he called waste and fraud.
"Our broken Healthcare System harms everyday Americans, and crushes our Country's budget," Trump said in a statement.
The agency runs Medicare, the federal health insurance program for people aged 65 or older and the disabled. The office also oversees Medicaid, the state-based health insurance program for low-income people, which is jointly funded by states and the federal government. The two programs provide health insurance for over 140 million Americans.
It also handles much of the enrollment in income-based government-subsidized health insurance under the Affordable Care Act, also known as Obamacare. Trump and other Republicans have previously tried to repeal the law but now say they only seek to overhaul it.
His nomination is less likely to cause negative reaction among pharmaceutical companies than Kennedy's, an outspoken critic of drugmakers, said BMO analyst Evan Seigerman.
"While Oz has been controversial and a noted TV personality, his stance on expanded Medicare coverage and tackling ... pricing challenges could be a positive for the industry in the long run," he wrote in a note.
Oz was a regular Fox News commentator during the COVID-19 pandemic and a proponent of unproven treatments for COVID-19 including hydroxychloroquine, an antimalarial drug whose use against the disease was also backed by Trump.
Oz challenged the Biden administration's COVID-19 pandemic policies on social media, including mask policies, saying they ignored the science and were based on missing data.
In 2020, he was a proponent of expanding Medicare Advantage plans in which insurers manage healthcare benefits paid for by the government to all Americans who were not enrolled in Medicaid in a column published in Forbes magazine.
Oz promoted Medicare Advantage on his syndicated daytime television talk show, which aired between 2009 and 2022, in segments sponsored by a website selling the plans.
Shares of all major health insurers in the U.S. were marginally up after the decision with UnitedHealth (UNH.N), opens new tab, Humana (HUM.N), opens new tab and Molina Healthcare (MOH.N), opens new tab moving up between 1% and 2% in after-hours trade.
Trump promised during his campaign not to cut Medicare but is expected to let federal subsidies for Medicaid expire at the end of 2025.
After RFK Jr. was named to the job last week, Oz told Fox News that he knew the HHS secretary nominee personally. The position is subject to Senate confirmation. |
|
|