OIG: OCR Didn’t Properly Enforce HIPAA Security

The HHS Office for Civil Rights didn’t meet all the federal requirements in its oversight and enforcement of the HIPAA security rule, according to a report by the HHS Office of Inspector General. The 26-page report, which was issued in November, details several problems with OCR’s enforcement of the rule, which was expanded by the HITECH Act of 2009 to include mandatory periodic audits of covered healthcare organizations and their business associates.

For example, the report contends that OCR had not assessed the risks, established priorities or implemented controls for the audits to ensure their compliance. Additionally, the report found OCR’s investigation files didn’t contain the required documentation supporting key decisions because staff didn’t consistently follow the office’s procedures by sufficiently reviewing investigation case documentation.

Further, OIG contends that OCR hadn’t implemented sufficient controls, including supervisory review and documentation retention to ensure the investigators follow investigation policies and procedures for properly initiating, processing and closing security rule investigations. OIG also found that OCR itself hadn’t complied with federal cybersecurity requirements for its information systems used to process and store investigation data. Such requirements include obtaining HHS authorizations to operate the systems used to oversee and enforce the security rule and completing privacy impact assessments, risk analyses or system security plans for two of its three systems.

These system vulnerabilities could impair OCR’s ability to perform the oversight and enforcement required for the rule, according to the report.

“We remain concerned about OCR’s ability to comply with the HITECH audit requirement and the resulting limited assurance that electronic protected health information is secure at covered entities,” OIG stated in the report.

OIG presented a draft report of its findings to OCR for comment before releasing the final report. OCR responded that it has contracted for the development of its audit mandate options, had developed an audit protocol, had conducted pilot audits of covered entities and was evaluating the results of its pilot audit program. It also explained that funding limitations were to blame for its lack of a permanent audit program.

OIG, however, did call out in its report several of the enforcement requirements that OCR did meet, such as making guidance available to covered entities that promoted compliance with the security rule and establishing an investigation process for responding to reported violations.

Going forward, the office recommended that OCR:

*Strive to assess the risks, establish priorities and implement controls for its HITECH auditing requirements;

*Provide for periodic audits in accordance with HITECH to ensure security rule compliance at covered entities;

*Implement sufficient controls, including supervisory review and documentation retention, to ensure policies and procedures for security rule investigations are followed;

*And implement the National Institute of Standards and Technology Risk Management for systems used to oversee and enforce the security rule.