OIG Issues Report Critical of OCR Oversight of HIPAA Breaches

OCR data estimates that more than 41 million people have had their PHI compromised in HIPAA privacy and security breaches. However, this figure is likely a significant underestimation since most breaches involve less than 500 individuals and are therefore not subject to public disclosure. The HHS OIG released a report assessing OCR’s oversight of covered entities that reported breaches. The report reviewed a statistical sample of large breaches affecting 500 or more individuals, as well as smaller breaches affecting fewer than 500 individuals. It also surveyed OCR staff, interviewed OCR officials, and reviewed OCR’s investigation policies and systems. Finally, the report reviewed a sample of Medicare Part B providers to determine the extent to which the providers addressed three selected breach administrative standards. The report was critical of OCR’s follow-up of reported breaches of PHI. It found that OCR systems lacked standardized methods to enter data and track entities with repeated breaches. Many of OCR’s closed cases had incomplete documentation, which prevented OCR from taking corrective action in those cases.

Breaches of protected health information (PHI)—such as patients’ names, test results, medical conditions, prescriptions, or treatment histories—could expose patients to privacy invasion, fraud, identity theft, and/or other harm. The HIPAA Breach Notification Rule, along with HIPAA’s Privacy and Security Rules, established standards to safeguard PHI. The Breach Notification Rule requires that covered entities report breaches of unsecured PHI to OCR, which oversees HIPAA compliance with the Rule. The OIG’s review identified a number of specific findings and provided recommendations to address them.

OIG Findings

• Weaknesses in OCR follow-up of reported breaches of PHI;
• Large breaches were investigated as required;
• In large-breach cases, covered entities were noncompliant with at least one HIPAA standard;
• 23% of closed cases had incomplete documentation of corrective actions taken;
• Identification of entities with multiple small breaches is impossible because small breaches are not in the case tracking system;
• 40% of OCR staff rarely or never checked entities for prior breaches;
• The case tracking system has limited search functionality for entities reporting breaches;
• OCR lacks a standard way to enter covered entity names in its electronic documenting system; and
• 27% of Medicare Part B providers reviewed failed to address all 3 selected breach standards.

OIG Recommend That OCR…

1. Enter small-breach information into its case-tracking system or a searchable database;
2. Maintain complete documentation of corrective action;
3. Develop a method to search for and track covered entities that reported prior breaches;
4. Develop a policy requiring OCR staff to check whether covered entities reported prior breaches; and
5. Continue to expand outreach and education efforts to covered entities.

OCR concurred with all recommendations and described its ongoing activities to address them.