OIG Criticizes OCR over Enforcement of HIPAA Privacy Violations

Last week, the Department of Health and Human Services’ Office of the Inspector General (OIG) released two reports detailing the results of reviews conducted to assess the Office for Civil Rights (OCR) activities relating to the enforcement of HIPAA privacy violations and oversight of HIPAA-covered entities’ compliance efforts.

The OCR is the main enforcer of HIPAA regulations, and that role requires the agency to monitor HIPAA-covered entities to ensure they are implementing the necessary controls to protect the privacy of patients, as required by the HIPAA Privacy and Security Rules.

The OCR is required to oversee compliance efforts, and conduct reviews of covered entities, issuing corrective actions and financial penalties as appropriate if violations of HIPAA Rules are discovered. The OCR has historically struggled in this regard due to a severe lack of resources. Touch budgetary restrictions or otherwise, its role remains the same and the reports have strongly criticized the OCR for a lack of action and enforcement inconsistencies.

The reviews consisted of a detailed examination of a statistical sample of large-scale data breaches –  – those which have affected more than 500 individuals – suffered by covered entities, with the second report also examining the efforts the OCR has made investigating smaller data breaches. The data studied came from security breaches that were reported to the OCR between September 2009 and March 2011.

OCR Criticized for its Failure to Implement a Permanent HIPAA-Compliance Audit Program

The first report highlighted serious failures, with the OCR found to have adopted a “primarily reactive” approach to policing compliance. The agency only investigated organizations following self-reported data breaches and complaints made to the HHS. The OCR was criticized for not taking a more proactive approach when assessing HIPAA-compliance efforts.

The OCR has previously conducted a series of HIPAA-compliance audits to determine whether healthcare providers, health plans, and healthcare clearinghouses have adopted the necessary controls and safeguards to protect data and patient privacy. Those audits took place in 2011/2012.

The second phase of the audits were expected to commence last year, but the OCR has been forced to delay. Now more than a year later the audit program still hasn’t started, although a 2015 start has now been confirmed. A permanent audit program is expected of the OCR, but it has not yet been implemented. This fact did not escape the attention of the OIG.

The OIG has recommended that the OCR “fully implement its permanent audit program”, as well as “maintain complete documentation on corrective actions taken”. The review uncovered failures to maintain a full set of documentation, making it impossible in many cases to determine whether organizations that have suffered a data breach adhered to OCR corrective action plans. This was in part determined to be due to issues with the OCR’s case-tracking software. The OCR has been recommended to address this issue as a priority and must “strengthen its oversight of covered entities’ compliance with the HIPAA privacy standards.”

The OCR must also issue guidance to covered entities to assist them with their compliance efforts. The OIG recommended that the OCR increase its outreach to covered entities, and expand its education efforts.

Inconsistencies Found in the OCR’s Enforcement of HIPAA Privacy Violations

The second report revealed that the OCR did not record data from small breaches in its case-tracking system, thereby limiting the effectiveness of its follow-ups on data breaches. Covered entities could therefore have suffered numerous small-scale data breaches, yet OCR staff would not be able to track those breaches.

OCR staff did not always check whether actions had been taken against organizations in the past, even for large-scale breaches. When interviewed by the OIG, only 61% of OCR staff claimed they checked for historical large-scale data breaches suffered by the covered entity in question. 39% claimed they rarely or never checked for past data breaches suffered. Furthermore, when corrective actions were issued, a full set of documentation on compliance efforts was not present in 23% of cases.

The recommendations made in the second report included entering small-scale breaches into the OCR’s case-tracking system, and making improvements to that system to allow full searches to be conducted on covered entities. The agency must also improve the accuracy of its searches, which could be achieved in part, by standardizing the way covered entities names are entered into the system. The OCR was also told to “strengthen its follow-up of breaches of patient health information reported by covered entities.”

The OCR agreed with all recommendations made by the OCR, and Jocelyn Samuels responded to the criticisms and confirmed that the OCR HIPAA-compliance audit program would be commencing in early 2016. However the permanent program is likely to be hampered by budgetary constraints.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news