OIG Says HIPAA Enforcement Needs Improvement
The HHS Office for Civil Rights should take 10 steps to strengthen its oversight of HIPAA Privacy Rule compliance as well as improve follow-up activities on reported data breaches, a government watchdog agency says in two new reports. Among the recommended steps are the launching of a long-overdue, permanent HIPAA compliance audit program, adding information about small breaches to OCR’s case-tracking system and expanding HIPAA education outreach efforts.
The Department of Health and Human Services’ Office of Inspector General issued the reports evaluating OCR, which is responsible for HIPAA enforcement. In each of the reports, OCR Should Strengthen Its Follow-up of Breaches of Patient Health Information Reported by Covered Entities and OCR Should Strengthen Its Oversight of Covered Entities’ Compliance With the HIPAA Privacy Standards, OIG made five recommendations. OCR agreed to carry out all of them.
In its report about OCR’s oversight of HIPAA Privacy Rule compliance by covered entities, OIG found that:
● OCR investigated possible noncompliance with the privacy standards primarily in response to complaints;
● OCR has not fully implemented the required audit program to proactively identify possible noncompliance from covered entities;
● In about half of the closed privacy cases that OIG reviewed, OCR determined that covered entities were noncompliant with at least one privacy standard;
● OCR documented corrective action for almost three-quarters of privacy cases in which it requested such actions from covered entities; however, 26 percent of cases had incomplete documentation;
● 71% percent of OCR staff at least sometimes checked whether covered entities had been previously investigated; however, 29 percent rarely or never did so;
● OCR’s case-tracking system has limited search functionality; and
● 27% of Medicare Part B providers did not address all five selected privacy standards reviewed by OIG.
OIG’s five recommendations, which OCR says it is implementing, include:
1. Fully implementing a permanent audit program;
2. Maintaining complete documentation of corrective action;
3. Developing an efficient method in OCR’s case-tracking system to search for and track covered entities;
4. Developing a policy requiring OCR staff to check whether covered entities have been previously investigated; and
5. Continuing to expand HIPAA outreach and education efforts to covered entities.
In its report evaluating OCR’s following up on breaches reported by covered entities, OIG acknowledged that OCR routinely investigates breaches affecting 500 or more individuals, as required under the HITECH Act. In almost all of the completed investigations, OCR has determined that covered entities were noncompliant with at least one HIPAA Privacy Rule standard.
Although OCR documented corrective action for most of the closed large breach cases in which it made determinations of noncompliance, 23 percent of cases had incomplete documentation of corrective actions taken by covered entities, OIG says.
OIG says OCR also did not record information about smaller breaches in its case tracking system, which limits OCR’s ability to track and identify covered entities with multiple small breaches.
Although 61 percent of OCR staff checked at least sometimes as to whether covered entities had reported prior large breaches, 39 percent of OCR staff rarely or never did so, OIG says. “If OCR staff wanted to check, they may face challenges because its case tracking system has limited search functionality and OCR does not have a standard way to enter covered entities’ names in the system,” OIG notes.
Based on these findings, OIG said OCR should:
1. Enter small-breach information into its case-tracking system or a searchable database linked to it;
2. Maintain complete documentation of corrective action;
3. Develop an efficient method in its case-tracking system to search for and track covered entities that reported prior breaches;
4. Develop a policy requiring OCR staff to check whether covered entities reported prior breaches;
5. Continue to expand outreach and education efforts to covered entities.
In response to OIG’s call for implementing a permanent HIPAA compliance audit program, as required under the HITECH Act, OCR Director Jocelyn Samuel outlined steps the office is taking toward that long-delayed goal.
“We will launch our audit program in early 2016. This phase will test the efficacy of a combination of desk reviews of policies as well as on-site reviews. It will target common areas of non-compliance and will include HIPAA business associates,” Samuels wrote in a letter dated Sept. 23.
Samuels noted that key audit-preparation activities over the next several months include “OCR updating its HIPAA audit protocols; refining the pool of potential audit subjects; and implementing a screening tool to assess size, entity type and other information about potential audit subjects.”
One HIPAA expert says OIG’s assessment of OCR’s enforcement activities spotlight several important issues.
“The reports in their formal federal language are an attempt to light a bigger fire under OCR to use the authority in the HITECH Act for the proactive audits to reach the second plateau of operation,” says independent HIPAA attorney Susan Miller.
“While all five recommendations in each report are important, the small-breach information and a fully implemented permanent audit program are very important for HIPAA enforcement to reach the next higher level of operations,” she says. “Both reports taken together put both investigations and audits on the same enforcement level, making each as important as the other. It is also a recognition that a complaint and its related investigation may lead to a breach finding, and that both investigations and breaches produce corrective action plans.”