Summary
On September 29, 2015, the Office of Inspector General (OIG) released two reports that reviewed the Office of Civil Rights’ (OCR) enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The first report (the Privacy Report) suggests that OCR strengthen its oversight of covered entities’ compliance with the HIPAA Privacy Rule. The second report (the Breach Enforcement Report) suggests that OCR strengthen its follow-up of reported HIPAA breaches. In response to the Privacy Report, OCR announced the next phase of a HIPAA audit program to commence in early 2016.
OCR is the unit within the U.S. Department of Health and Human Services tasked with enforcing HIPAA. To prepare the reports, the OIG reviewed OCR’s oversight activities from 2009 through 2011 by conducting interviews with OCR staff reviewing OCR data.
The OIG noted that OCR’s oversight of the Privacy Rule is reactive because OCR investigates potential noncompliance based upon complaints it receives. In addition, the OIG noted that while OCR documented corrected action for most large breaches (more than 500 individuals affected), 23 percent of large breach cases had incomplete documentation of the corrective action taken by covered entities. In addition, OCR did not record small breaches (less than 500 individuals affected) in its case tracking system.
The OIG made the following five recommendations to OCR in the Privacy Report:
-
implement a permanent audit program;
-
maintain complete documentation of corrective action taken by covered entities in OCR information management system;
-
develop an efficient method for searching for and tracking covered entities in OCR case-tracking system;
-
require OCR staff to check if a covered entity has been previously investigated; and
-
expand outreach and education efforts to covered entities.
The OIG made five recommendations to OCR in the Breach Enforcement Report:
-
enter small breach information in OCR case-tracking system or a linked searchable database;
-
maintain complete documentation of corrective action taken by covered entities;
-
develop a method to search for and track whether covered entities reported prior breaches;
-
require OCR staff to check whether a covered entity previously reported a breach; and
-
expand outreach and education efforts to covered entities.
The Privacy Report may be found here and the Breach Report may be found here.
Included with each report was a response letter from OCR. The OCR agreed with each recommendation made by the OIG and noted it has already implemented or has made progress with respect to each recommendation. Significantly, OCR stated that it has concluded the review of its pilot HIPAA audit program. The OCR will launch phase 2 of the audit program early in 2016. While few details were released, OCR stated in its letter that this phase “will test the efficacy of the combination of desk reviews of policies as well as on-site reviews; it will target specific common areas of noncompliance; and it will include HIPAA business associates.”
The Privacy Report, Breach Enforcement Report and OCR response is a reminder for HIPAA covered entities and business associates to remain diligent with their HIPAA compliance activities. HIPAA covered entities and business associates can anticipate that there may be more rigorous enforcement of HIPAA by OCR as a result of the reports. Saul Ewing attorneys have written extensively about OCR HIPAA enforcement activities, which articles may be found here.
View Document(s):
