OIG Reports: HIPAA Enforcement Activities Need a BoostWatchdog Agency Makes 10 Recommendations to OCR
The HHS Office for Civil Rights should take 10 steps to strengthen its oversight of HIPAA Privacy Rule compliance as well as improve followup actvities on reported data breaches, a government watchdog agency says in two new reports.
Among the recommended steps are the launching of a long-overdue, permanent HIPAA compliance audit program, adding information about small breaches to OCR's case-tracking system and expanding HIPAA education outreach efforts.
The Department of Health and Human Services' Office of Inspector General this week issued the reports evaluating OCR, which is responsible for HIPAA enforcement. In each of the reports - OCR Should Strengthen Its Followup of Breaches of Patient Health Information Reported by Covered Entities and OCR Should Strengthen Its Oversight of Covered Entities' Compliance With the HIPAA Privacy Standards - OIG made five recommendations. OCR agreed to carry out all of them.
OCR did not immediately respond to Information Security Media Group's request for comment on the reports.
In response to OIG's call for implementing a permanent HIPAA compliance audit program, as required under the HITECH Act, OCR Director Jocelyn Samuel outlined steps the office is taking toward that long-delayed goal.
"We will launch our audit program in early 2016. This phase will test the efficacy of a combination of desk reviews of policies as well as on-site reviews. It will target common areas of non-compliance and will include HIPAA business associates," Samuels wrote in a letter dated Sept. 23 (see: New HIPAA Compliance Audit Details Revealed).
Samuels noted that key audit-preparation activities over the next several months include "OCR updating its HIPAA audit protocols; refining the pool of potential audit subjects; and implementing a screening tool to assess size, entity type and other information about potential audit subjects."
OCR is also updating its electronic document management and investigations tracking system, known as the Program Information Management System, "to build capacity to support an internal audit program," Samuels wrote. "However, while OCR is moving forward with Phase 2, the scope and structure of the audit program long-term will ultimately depend upon the availability of resources for the program."
Thinly stretched resources at OCR appear to be a major obstacle in the agency carrying out a number of its plans and activities. In a recent interview with Information Security Media Group, attorney Deven McGraw, OCR's new deputy director for health information privacy, said one of the biggest challenges she faces is the office's relatively small staff.
"I have great staff, but have too few for the dream that I have for this office," she acknowledged. "That requires an assessment of what can we do, how can we be more strategic, what are the things we need to prioritize versus what's the entire wish list. I don't want things to ever come off the wish list, but at the end of the day, I will always be challenged about how to be effective and efficient with less than I would like. But that's probably true for a lot of the covered entities and business associates that I regulate. So I feel their pain."
HIPAA Oversight Weaknesses
In its report about OCR's oversight of HIPAA Privacy Rule compliance by covered entities, OIG found that:
- OCR investigated possible noncompliance with the privacy standards primarily in response to complaints;
- OCR has not fully implemented the required audit program to proactively identify possible noncompliance from covered entities;
- In about half of the closed privacy cases that OIG reviewed, OCR determined that covered entities were noncompliant with at least one privacy standard;
- OCR documented corrective action for almost three-quarters of privacy cases in which it requested such actions from covered entities; however, 26 percent of cases had incomplete documentation;
- Seventy-one percent of OCR staff at least sometimes checked whether covered entities had been previously investigated; however, 29 percent rarely or never did so;
- OCR's case-tracking system has limited search functionality;
- Almost three-quarters of Medicare Part B providers addressed all five selected privacy standards reviewed by OIG; however, 27 percent of Part B providers did not.
OIG's five recommendations, which OCR says it is implementing, include:
- Fully implementing a permanent audit program;
- Maintaining complete documentation of corrective action;
- Developing an efficient method in OCR's case-tracking system to search for and track covered entities;
- Developing a policy requiring OCR staff to check whether covered entities have been previously investigated;
- Continuing to expand HIPAA outreach and education efforts to covered entities.
OCR's Breach Follow-up Activities
In its report evaluating OCR's following up on breaches reported by covered entities, OIG acknowledged that OCR routinely investigates breaches affecting 500 or more individuals, as required under the HITECH Act. In almost all of the completed investigations, OCR has determined that covered entities were noncompliant with at least one HIPAA Privacy Rule standard.
Although OCR documented corrective action for most of the closed large breach cases in which it made determinations of noncompliance, 23 percent of cases had incomplete documentation of corrective actions taken by covered entities, OIG says.
OIG says OCR also did not record information about smaller breaches in its case tracking system, which limits OCR's ability to track and identify covered entities with multiple small breaches.
Although 61 percent of OCR staff checked at least sometimes as to whether covered entities had reported prior large breaches, 39 percent of OCR staff rarely or never did so, OIG says.
"If OCR staff wanted to check, they may face challenges because its case tracking system has limited search functionality and OCR does not have a standard way to enter covered entities' names in the system," OIG notes.
Based on these findings, OIG said OCR should:
- Enter small-breach information into its case-tracking system or a searchable database linked to it;
- Maintain complete documentation of corrective action;
- Develop an efficient method in its case-tracking system to search for and track covered entities that reported prior breaches;
- Develop a policy requiring OCR staff to check whether covered entities reported prior breaches;
- Continue to expand outreach and education efforts to covered entities.
OCR concurred with all five recommendations and described to OIG its activities to address them, the report notes.
One HIPAA expert says OIG's assessment of OCR's enforcement activities spotlight several important issues.
"The reports in their formal federal language are an attempt to light a bigger fire under OCR to use the authority in the HITECH Act for the proactive audits to reach the second plateau of operation," says independent HIPAA attorney Susan Miller.
"While all five recommendations in each report are important, the small-breach information and a fully implemented permanent audit program are very important for HIPAA enforcement to reach the next higher level of operations," she says. "Both reports taken together put both investigations and audits on the same enforcement level, making each as important as the other. It is also a recognition that a complaint and its related investigation may lead to a breach finding, and that both investigations and breaches produce corrective action plans."
And while OCR officials have acknowledged that the agency has tight resources, Miller says the agency likely has the resources to make the improvements that OIG suggests.
"Several of the recommendations focus on the new case tracking system that OCR has been creating and updating from the original complaint system for well over a year," she says. "It is important for the new technology and database underlying HIPAA enforcement be completed, and tested, before the next level audit begin and more breaches are investigated."