HHS enforcement of health data privacy is lacking: report
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Maura Losch/Axios
The Health and Human Services Department is meeting a requirement for auditing health care organizations' data privacy standards but could be doing more to safeguard patient data, a federal watchdog found.
Why it matters: Cyberattacks affecting health care providers and vendors have become more common in recent years, often exposing individuals' private health information.
The big picture: Under the Health Insurance Portability and Accountability Act (HIPAA), organizations must keep patients' electronic health information private, create safeguards to protect the data and notify patients if their data is breached.
- HHS' Office of Civil Rights is charged with enforcing these rules.
What they found: The HHS Office of Inspector General examined OCR's health privacy audit program from 2016 through 2020 and found that OCR did assess electronic health data protections via audits, according to a report the office published on Monday.
- But in 2016 and 2017, the investigations only assessed 8 of 180 HIPAA requirements included in the audit protocol. The office hasn't conducted any audits since 2017, per HHS inspectors.
- OCR lacked a documentation process for following up on issues surfaced through the audits, and didn't have an established policy on when audits should lead to additional compliance reviews, the report said.
What to watch: The inspectors' report recommends OCR expand the scope of its audits, create standards for making sure issues identified during audits get resolved and define metrics for monitoring how effective the audits are at improving health data protections.
What they're saying: OCR agreed with most of the inspector general's recommendations, but said its small budget — and Congress' failure to allocate additional funds to the office — have made it difficult to improve the audit program.
- "OCR has requested additional appropriations, but such efforts have been unavailing," director Melanie Fontes Rainer said in an August letter to investigators included in the report.
- Audit activities can't be fully improved until OCR receives more federal funding, she said, adding that office had plans to start more health data privacy audits this year.
- Investigative staff decreased 30% between 2010 and 2023, while the volume of complaints rose 306%. The office had less than 100 investigators as of August, according to Fontes Rainer.
