Government watchdog calls out HHS for not auditing health care’s privacy compliance since 2017

The Office for Civil Rights is not checking whether health care providers and other people who handle Americans’ sensitive data are complying with federal health privacy law, a new report from the U.S. Department of Health and Human Services Office of Inspector General has found. 

The Office for Civil Rights, or OCR, is in charge of enforcing HIPAA, the law that protects patients’ data from cyberattackers and other unauthorized parties. However, OCR has not conducted any HIPAA audits since 2017, leaving the nation’s health care organizations to either police themselves or wait until a cyberattack exposes their systems’ inadequacy.

“What gets measured gets done,” said Don Patterson, director of HHS-OIG’s Cybersecurity and IT Audits Division, “so if OCR is not consistently performing these audits to assess whether entities are compliant or not, that can lead to weaknesses and gaps in security controls that may contribute to potential cybersecurity breaches.”

STAT+ Exclusive Story

Already have an account? Log in

This article is exclusive to STAT+ subscribers

Unlock this article — and get additional analysis of the technologies disrupting health care — by subscribing to STAT+.

Already have an account? Log in

Individual plans

Group plans

Monthly

$39

Totals $468 per year

$39/month Get Started

Totals $468 per year

Starter

$20

for 3 months, then $399/year

$20 for 3 months Get Started

Then $399/year

Annual

$399

Save 15%

$399/year Get Started

Save 15%

11+ Users

Custom

Savings start at 25%!

Request A Quote Request A Quote

Savings start at 25%!

2-10 Users

$300

Annually per user

$300/year Get Started

$300 Annually per user

View All Plans

To read the rest of this story subscribe to STAT+.

Subscribe

Log In