As HIPAA-regulated entities anxiously await the commencement of the Phase II HIPAA audit program, the Office of the Inspector General (OIG) for the Department of Health and Human Services (HHS) has issued a report critical of the Office for Civil Rights’ (OCR) HIPAA enforcement performance, effectively giving OCR “something to prove.”

The report, released on September 28, 2015, examines whether OCR — the office within HHS charged with enforcing HIPAA — is sufficiently exercising its oversight responsibilities. The OIG specifically focused on whether OCR is sufficiently overseeing covered entities’ compliance with HIPAA’s Privacy Rule.  The OIG found a number of areas where OCR’s oversight is lacking.

To reach its conclusion, the OIG examined statistical samples of privacy cases investigated by OCR, as well as surveys of OCR staff and interviews with OCR officials. After examining this data, the OIG reached the following conclusions:

  • OCR’s oversight is primarily reactive, with OCR investigating possible noncompliance primarily in response to complaints.
  • OCR has not fully implemented the required audit program to proactively assess possible noncompliance from covered entities.
  • In 24 percent of cases where OCR requested corrective action, it subsequently failed to obtain complete documentation of corrective actions taken by the covered entities.
  • Some OCR staff rarely or never checked to see whether a covered entity had been previously investigated. The OIG found that the staff’s failure to check for previous investigations may be due to the limited functionality of its case tracking system.

The OIG’s report also sheds light on Privacy Rule compliance within the Medicare Part B provider community. According to the OIG’s findings, over a quarter of Part B providers did not address all of the applicable Privacy Rule standards, and may therefore be failing to adequately safeguard protected health information.  The OIG’s findings are summarized below:

OIG_findings

 

 

 

 

 

 

Based on its findings, the OIG recommended that the OCR should:

  • Fully implement a permanent audit program;
  • Maintain complete documentation of corrective action;
  • Develop an efficient method in its case-tracking system to search for and track covered entities;
  • Develop a policy requiring OCR staff to check whether covered entities have been previously investigated; and
  • Continue to expand outreach and education efforts to covered entities.

OCR concurred with all five recommendations and described its activities to address them.

The OIG’s report comes amidst the impending start of OCR’s Phase II audit program. Whether the OIG’s report will impact how OCR conducts its Phase 2 audits, if at all, remains to be seen. However, it is not inconceivable that OCR could feel pressured to more aggressively investigate potential Privacy Rule noncompliance, and covered entities would be well-served to ensure that they are ready to respond to such audits. To assist covered entities in their response, we have made available a webinar entitled “The First Rule of How to Survive a HIPAA Audit: Be Prepared” which can be viewed here.