"OCR fulfilled its requirement under the HITECH Act to perform periodic HIPAA audits. However: OCR’s HIPAA audit implementation was too narrowly scoped to effectively assess ePHI protections and demonstrate a reduction of risks within the health care sector. Specifically: OCR’s audits consisted of assessing only 8 of 180 HIPAA Rules requirements; and only 2 of those 8 requirements were related to Security Rule administrative safeguards and none were related to physical and technical security safeguards. OCR oversight of its HIPAA audit program was not effective at improving cybersecurity protections at covered entities and business associates."  MORE >>