OIG Says HIPAA Enforcement Needs Improvement
The HHS Office for Civil Rights
should take 10 steps to strengthen its oversight of HIPAA Privacy Rule
compliance as well as improve follow-up activities on reported data breaches, a
government watchdog agency says in two new reports. Among the recommended steps
are the launching of a long-overdue, permanent HIPAA compliance audit program,
adding information about small breaches to OCR’s case-tracking system and
expanding HIPAA education outreach efforts.
The Department of Health and Human
Services’ Office of Inspector General issued the reports evaluating OCR, which
is responsible for HIPAA enforcement. In each of the reports, OCR Should Strengthen Its Follow-up of
Breaches of Patient Health Information Reported by Covered Entities and OCR Should Strengthen Its Oversight of
Covered Entities’ Compliance With the HIPAA Privacy Standards, OIG made
five recommendations. OCR agreed to carry out all of them.
In its report about OCR’s oversight
of HIPAA Privacy Rule compliance by covered entities, OIG found that:
●
OCR investigated possible
noncompliance with the privacy standards primarily in response to complaints;
●
OCR has not fully implemented the
required audit program to proactively identify possible noncompliance from
covered entities;
●
In about half of the closed privacy
cases that OIG reviewed, OCR determined that covered entities were noncompliant
with at least one privacy standard;
●
OCR documented corrective action for
almost three-quarters of privacy cases in which it requested such actions from
covered entities; however, 26 percent of cases had incomplete documentation;
●
71% percent of OCR staff at least
sometimes checked whether covered entities had been previously investigated;
however, 29 percent rarely or never did so;
●
OCR’s case-tracking system has
limited search functionality; and
●
27% of Medicare Part B providers did
not address all five selected privacy standards reviewed by OIG.
OIG’s five recommendations, which
OCR says it is implementing, include:
1.
Fully implementing a permanent audit
program;
2.
Maintaining complete documentation
of corrective action;
3.
Developing an efficient method in
OCR’s case-tracking system to search for and track covered entities;
4.
Developing a policy requiring OCR
staff to check whether covered entities have been previously investigated; and
5.
Continuing to expand HIPAA outreach
and education efforts to covered entities.
In its report evaluating OCR’s
following up on breaches reported by covered entities, OIG acknowledged that
OCR routinely investigates breaches affecting 500 or more individuals, as
required under the HITECH Act. In almost all of the completed investigations,
OCR has determined that covered entities were noncompliant with at least one
HIPAA Privacy Rule standard.
Although OCR documented corrective
action for most of the closed large breach cases in which it made
determinations of noncompliance, 23 percent of cases had incomplete
documentation of corrective actions taken by covered entities, OIG says.
OIG says OCR also did not record
information about smaller breaches in its case tracking system, which limits
OCR’s ability to track and identify covered entities with multiple small
breaches.
Although 61 percent of OCR staff
checked at least sometimes as to whether covered entities had reported prior
large breaches, 39 percent of OCR staff rarely or never did so, OIG says. “If
OCR staff wanted to check, they may face challenges because its case tracking
system has limited search functionality and OCR does not have a standard way to
enter covered entities’ names in the system,” OIG notes.
Based on these findings, OIG said
OCR should:
1.
Enter small-breach information into
its case-tracking system or a searchable database linked to it;
2.
Maintain complete documentation of
corrective action;
3.
Develop an efficient method in its
case-tracking system to search for and track covered entities that reported
prior breaches;
4.
Develop a policy requiring OCR staff
to check whether covered entities reported prior breaches;
5.
Continue to expand outreach and
education efforts to covered entities.
In response to OIG’s call for
implementing a permanent HIPAA compliance audit program, as required under the
HITECH Act, OCR Director Jocelyn Samuel outlined steps the office is taking
toward that long-delayed goal.
“We will launch our audit program in
early 2016. This phase will test the efficacy of a combination of desk reviews
of policies as well as on-site reviews. It will target common areas of
non-compliance and will include HIPAA business associates,” Samuels wrote in a
letter dated Sept. 23.
Samuels noted that key
audit-preparation activities over the next several months include “OCR updating
its HIPAA audit protocols; refining the pool of potential audit subjects; and
implementing a screening tool to assess size, entity type and other information
about potential audit subjects.”
One HIPAA expert says OIG’s
assessment of OCR’s enforcement activities spotlight several important issues.
“The reports in their formal federal
language are an attempt to light a bigger fire under OCR to use the authority
in the HITECH Act for the proactive audits to reach the second plateau of
operation,” says independent HIPAA attorney Susan Miller.
“While all five recommendations in
each report are important, the small-breach information and a fully implemented
permanent audit program are very important for HIPAA enforcement to reach the
next higher level of operations,” she says. “Both reports taken together put
both investigations and audits on the same enforcement level, making each as
important as the other. It is also a recognition that a complaint and its
related investigation may lead to a breach finding, and that both
investigations and breaches produce corrective action plans.”
(OIG website, ISMG website)
For more information on this and other topics related to HIPAA, HR, OSHA, and Medicare, please emailsupport@hcsiinc.com or visit our website at http://www.hcsiinc.com
Be sure to become a member of our Linkedin group by visiting; http://bit.ly/1FWmtq6
No comments:
Post a Comment