The Office for Civil Rights Should Enhance Its HIPAA Audit Program to Enforce HIPAA Requirements and Improve the Protection of Electronic Protected Health Information

Date Issued

Thursday, November 21, 2024

Submitting OIG

Department of Health & Human Services OIG

Agencies Reviewed/Investigated

Department of Health & Human Services

Report Number

A-18-21-08014

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

External Link

Open Recommendations

This report has 4 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
25-A-18-015.01	No	$0	$0
We recommend that the Office for Civil Rights expand the scope of its HIPAA audits to assess compliance with physical and technical safeguards from the Security Rule.
25-A-18-015.02	No	$0	$0
We recommend that the Office for Civil Rights document and implement standards and guidance for ensuring that deficiencies identified during the HIPAA audits are corrected in a timely manner.
25-A-18-015.03	No	$0	$0
We recommend that the Office for Civil Rights define and document criteria for determining whether a compliance issue identified during a HIPAA audit should result in OCR initiating a compliance review.
25-A-18-015.04	No	$0	$0
We recommend that the Office for Civil Rights define metrics for monitoring the effectiveness of OCR's HIPAA audits at improving audited entities' protections over ePHI and periodically review whether these metrics should be refined.