OCR not auditing enough providers, OIG says
If you feel like government regulators are breathing down your neck about Health Insurance Portability and Accountability Act (HIPAA) compliance, some of their bosses are thinking just the opposite. A report issued recently by the Department of Health and Human Services Office of Inspector General (OIG) concluded that the Office for Civil Rights (OCR) is not doing enough to enforce the HIPAA Security Rule.
According to the OIG, OCR had not assessed the risks, established priorities, or implemented controls for its Health Information Technology for Economic and Clinical Health (HITECH) Act requirement to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements. In addition, OCR's Security Rule investigation files didn't contain required documentation supporting key decisions because its staff didn't consistently follow OCR investigation procedures by sufficiently reviewing investigation case documentation.
OIG also found that OCR had not fully complied with federal cybersecurity requirements for its information systems used to process and store investigation data. (The entire OIG report is available online at http://tinyurl.com/ojzv3xl.)
The OIG also makes clear in the report that HIPAA compliance audits will continue. The pilot audits OCR ran in 2012 indicated that covered entities generally have more difficulty complying with the Security Rule than other aspects of HIPAA, the report says, and that small covered entities struggle with HIPAA compliance in each of the assessment areas: privacy, security and breach notification.
In a hint of what covered entities might see from OCR this year, the OIG report recommended that OCR take these steps:
-
assess the risks, establish priorities, and implement controls for its HITECH auditing requirements;
-
provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities;
-
implement sufficient controls, including supervisory review and documentation retention, to ensure policies and procedures for Security Rule investigations are followed; and
-
implement the NIST Risk Management Framework for systems used to oversee and enforce the Security Rule.
OCR responded to the OIG report by generally agreeing with the OIG's recommendations and describing how it had already taken action to address them. As for continuing the compliance audits, OCR's response said that future audits "are less likely to be broad assessments generally across the Rules and more likely to focus on key areas of concern for OCR identified by new initiatives, enforcement concerns, and Departmental priorities."