Improvements Needed Regarding OCR’s HIPAA Oversight and Breach Follow-Up

by Leonardo M. Tamburello

The Office of Inspector General (OIG) recently issued two reports regarding HIPAA oversight activities performed by the Office for Civil Rights (OCR).  The first of these reports examined OCR’s oversight of covered entities’ compliance with the Privacy Rule.  The second report looked at OCR’s handling of covered entities’ reported HIPAA breaches.   Both reports included recommendations to OCR for improvement in these areas.  OCR agreed with all of OIG’s recommendations, suggesting changes to OCR oversight and enforcement activities in the near future.

Both studies were conducted by reviewing statistical samples of OCR investigations by OCR from September 2009 through March 2014, surveying OCR staff, interviewing OCR officials, reviewing OCR’s investigation policies, and reviewing documentation provided by a statistical sample of Part B providers to determine the extent to which they addressed five selected privacy standards or three selected breach administrative standards, as appropriate.

Regarding Privacy Rule compliance, OIG’s primary findings included that OCR oversight remains “primarily reactive,” in that it investigates possible HIPAA non-compliance primarily in response to complaints, and that OCR has not yet fully implemented requirements under §§ 13411 and 13432 of the HITECH Act that it proactively conduct audits of covered entities to assess their HIPAA compliance efforts.  OIG also determined that in a significant number of cases, OCR failed to fully document corrective action or whether the covered entity had been the subject of a prior HIPAA investigation.  Furthermore, OIG’s review found that OCR’s case-tracking system has limited search functionality and lacks a standard way to enter covered entities’ names in the system.

Concerning HIPAA breaches, OIG also found that although OCR would usually document corrective action for most closed so-called “large” breaches involving 500 or more individuals, almost one-quarter of such cases nonetheless had inadequate documentation of corrective action taken.  OCR also did not record small-breach information in its case-tracking system, and that this failure to document “small” breaches limited OCR’s ability to track and identify covered entities with multiple small breaches.

As a result of these findings, OIG recommended that OCR: (1) fully implement a permanent audit system; (2) enter small-breach information into its case-tracking system; (3) maintain complete documentation of correction action; (4) develop a method in its case-tracking system to search and track covered entities that were previously investigated and/or reported prior breaches; (5) develop a policy requiring staff to check whether covered entities have been previously investigated or reported prior breaches; and (6) continue to expand outreach and education efforts to covered entities.

OCR concurred in all of these recommendations, and further stated that it is moving forward with a permanent audit program, including Phase 2 HIPAA audits in early 2016 which are designed to “test the efficacy of the combination of desk reviews of policies as well as on-site reviews,” and also “target specific common areas of non-compliance,” for both covered entities and business associates.

Now that the Phase 2 HIPAA audits, which have been previously discussed on this blog, are right around the corner, it is critical that covered entities and business associates ensure that their HIPAA compliance programs are in order.  Suggested activities in this regard might include:  performing an updated risk assessment and implementing a risk management plan; conducting an inventory and audit of all business associate agreements; review of any unimplemented “addressable” Security Standards, refresher workforce training, and a careful review of security policies in general.

For full text of the recent reports from OCR, please follow the links below: