The OIG Reports that OCR Failed to Meet Federal Requirements in its Oversight and Enforcement of the HIPAA Security Rule.

The Department of Health and Human Services Office of Inspector General (OIG) recently reported that the Office for Civil Rights (OCR) failed to meet federal requirements in the oversight and enforcement of the HIPAA Security Rule.  The OIG evaluated OCR’s Security Rule oversight and enforcement for the period from July 2009 through May 2011, as well as OCR’s computer systems as of May 2011.  The OIG assessed the OCR through methods, such as:

• Reviewed OCR’s policies, processes, systems, and applications used to enforce the Security Rule;
• Examined OCR’s oversight and enforcement of the Security Rule as applied to covered entities;
• Evaluated OCR’s use of civil monetary penalties;
• Interviewed OCR staff members and the OCR official responsible for overseeing investigations;
• Reviewed OCR’s contracts and interviewed contractor personnel; and
• Judgmentally selected 30 closed and 30 open investigations from 364 investigations of potential Security Rule violations.

The OIG found that OCR met some federal requirements for oversight and enforcement of the Security Rule, such as providing compliance guidance to covered entities.  Additionally, the OCR created an investigation process for responding to reported violations of the Security Rule, and followed federal regulations for penalizing Security Rule violators.  However, the OIG determined that OCR had not assessed risks, established priorities, or implemented controls for periodic audits of covered entities to confirm compliance with Security Rule requirements.  The OIG also found that OCR had not implemented proper controls, including supervisory review and documentation retention, to ensure investigators follow investigation policies and procedures for correctly initiating, processing, and closing Security Rule investigations.  Further, OCR had not fully complied with federal cybersecurity requirements.   

• The OIG made the following recommendations to which OCR generally concurred:
• Assess the risks, establish priorities, and implement controls for its Health Information Technology for Economic and Clinical Health Act auditing requirements.
• Conduct periodic audits in accordance with HITECH to verify Security Rule compliance of covered entities.
• Establish sufficient controls, such as supervisory review and documentation retention.
• Implement the National Institute of Standards and Technology Risk Management Framework for systems used to oversee and enforce the Security Rule.

The OIG report on OCR’s oversight activities is available at:

https://oig.hhs.gov/oas/reports/region4/41105025.pdf.

Department of Health and Human Services Office of Inspector General.  “The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule.”  4 Dec. 2013.

About the Author

Ms. Shuman assists health care organizations to develop, implement and evaluate their compliance programs and HIPAA privacy programs. Ms. Shuman specializes in our firm’s HIPAA Privacy services, including leading privacy investigations, breach risk assessments, breach notification letters, breach reporting to the Office for Civil Rights and corrective actions plans. She specializes in serving as Interim Privacy Officer for large health care systems, managed care organizations, comprehensive cancer center and health care business associate.