The Office for Civil Rights is not checking whether health care providers and other people who handle Americans’ sensitive data are complying with federal health privacy law, a new report from the U.S. Department of Health and Human Services Office of Inspector General has found.
The Office for Civil Rights, or OCR, is in charge of enforcing HIPAA, the law that protects patients’ data from cyberattackers and other unauthorized parties. However, OCR has not conducted any HIPAA audits since 2017, leaving the nation’s health care organizations to either police themselves or wait until a cyberattack exposes their systems’ inadequacy.
“What gets measured gets done,” said Don Patterson, director of HHS-OIG’s Cybersecurity and IT Audits Division, “so if OCR is not consistently performing these audits to assess whether entities are compliant or not, that can lead to weaknesses and gaps in security controls that may contribute to potential cybersecurity breaches.”
This article is exclusive to STAT+ subscribers
Unlock this article — and get additional analysis of the technologies disrupting health care — by subscribing to STAT+.
Already have an account? Log in