Share this article on:
The Office of the Inspector General of the Department of Health and Human Services has recently issued a report stating that the Office for Civil Rights failed to meet all the federal requirements that it was set and specifically criticized it for not having overseen and enforced the HIPAA Security Rule to the required degree.
According to the OIG, there were two key requirements under the Security Rule that the OCR had not met:
- OCR had not assessed the risks, established priorities, or implemented controls for its HITECH requirement to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements.
- OCR’s Security Rule investigation files did not contain required documentation supporting key decisions because its staff did not consistently follow OCR investigation procedures by sufficiently reviewing investigation case documentation.
The OIG recommended immediate action is taken to address these failures including conducting periodic audits of covered entities to ensure that the amendments to HIPAA due to the HITECH Act are assessed. It must also establish the necessary priorities in order to commence HIPAA compliance audits and police uptake of the Security Rule.
The NIST Risk Management framework should also be implemented to help oversee the adoption of the changed brought about by the HIPAA Security Rule and that it must enforce compliance. It was also recommended that supervisory reviews and documentation retention be used to ensure policies and procedures for its Security Rule investigations are followed.
The OCR response broadly concurred with the points raised and detailed ways in which the it has already responded and is addressing the issues raised, while enforcement and policing of the HIPAA Privacy and Security Rules will be brought up to the required level.
However, the OCR pointed out that it had not received funding for a permanent audit program. In spite of this between 2008 and 2012 it investigated more than 13,000 cases and had arrived at 11 resolutions with organizations where serious data security breaches had been identified and had collected payments of close to $10 million.
It is clear that the OCR’s stance on non-compliance is has changed in recent months. While $10M in settlements had previously been negotiated, $3.7 million (37%) of these had come from investigations concluded over the course of the past 12 months and accounted for almost half of the resolution agreements which had been issued since 2008.
It would appear from the report that funding for a permanent program of audits is unlikely to be forthcoming and the OCR may be responsible for raising its own funds for policing HIPAA. Regardless, the OCR must meet federal requirements and conduct all audits requirements as demanded by HIPAA and its subsequent amendments.
Healthcare organizations can therefore expect increased policing of the Privacy and Security Rules over the coming months and an increasing likelihood of being subjected to a surprise HIPAA audit. Financial penalties are being issued with increasing frequency and the message from the OCR is now clear; HIPAA Privacy and Security Rules are being strictly enforced and there are no longer any excuses for non-compliance.