HHS Office of the Inspector General (OIG) recently published two reports that demanded the HHS Office of Civil Rights (OCR) strengthen up their oversight and enforcement of HIPAA compliance. Could this herald a new wave of audits and penalties?
The OIG reports regarded OCR’s Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards and OCR’s Follow Up of PHI Breaches by Covered Entities and they didn’t mince words. According to OIG, both of these areas need “strengthening” and they offered very clear recommended actions to be taken.
OCR is moving forward with planning for a permanent audit program. We will launch Phase 2 of our audit program in early 2016
OIG’s objectives in undertaking these studies were to assess the level of OCR’s oversight of CE compliance and the level of compliance by Medicare Part B providers. Random statistical samples were taken from reported large and small breaches and from the privacy cases that OCR investigated in the period. OIG also reviewed policies and procedures, surveyed OCR staff and interviewed OCR officials.
Here’s what they found:
Common Findings from Both Studies
- Reactive investigations (complaints and self-reported breaches) are missing non-compliant CEs: 27% of surveyed Part B Providers admitted that they had not addressed all three selected breach administrative standards (sanctions, training, policies and procedures) and 27% of the 2nd sample had not addressed all five privacy selected privacy standards (sanctions, training, notice of privacy practices, designated privacy official, complaint process)
- Outreach and Education Efforts Need to be Stepped Up: 35% of Part B Providers reported that they were unfamiliar with OCR’s jurisdiction over the Breach Notification Rule and 27% of the 2nd sample over the Privacy Rule
- Documentation maintained is insufficient: 23% of Breach sample and 26% of Privacy sample had incomplete documentation of corrective actions taken by CEs making verification of what corrective actions, if any, were undertaken to address noncompliance
- Investigation of prior non-compliance or breaches is insufficient: 39% of OCR staff surveyed in the Breach sample and 29% in the Privacy sample rarely or never checked whether a CE had previous reports of non-compliance making it difficult to identify those that have a history of noncompliance
- 44 of the covered entities in the Privacy sample had been investigated before and 23 had been investigated 5 times each
- The case tracking system has limited search functionality: “Free form” fields for the names of the organization and no required procedures on entering information make searching for prior breaches or other HIPAA-related investigations time-consuming at best
- Follow Up of Breaches: Small-breach information was not being recorded in OCR’s case-tracking system, limiting the ability to track and identify CES with a history of small breaches.
- Oversight of CEs Compliance with the HIPAA Privacy Standards: No resolution agreements were entered into for non-compliance following investigation.
OIG Recommendations for OCR
1. Strengthen oversight of covered entities compliance
2. Improve current investigation processes and documentation
3. Fully implement a permanent audit program
4. Develop an efficient search and tracking system
5. Continue to expand outreach and education efforts
Summary of the Response from OCR:
• The case-tracking system has been upgraded to capture small-breach information in a database and searching and reporting capabilities have been improved
• Policies are being implemented to ensure that staff both review a CE’s history of investigations and maintain complete documentation of all corrective actions undertaken
• Outreach and education efforts have been and will continue
• Phase 2 Audits will be launched in early 2016 (depending on availability and allocation of resources) to test the efficacy of desk reviews of policies as well as on-site reviews and will target specific common areas of noncompliance
Despite the fact that the statistical samples were from 2009 through 2011, one can see from OCR Director Jocelyn Samuel’s response (included in this report) that while OCR oversight since then has become more effective, OIG is right – it could still be strengthened further.
The response included detail of audit work still underway (updating the audit protocols, refining the pool of potential audit subjects, and implementing a screening tool about potential audit subjects) including the heavy lifting: the updating of OCR’s electronic document management and investigations tracking system, called Program Information Management System (PIMS), to build capacity to support an internal audit program.
In addition, a commitment to timing of the Phase 2 audit was included in the response: “OCR is moving forward with planning for a permanent audit program. We will launch Phase 2 of our audit program in early 2016.”
The question is: does OCR have the available resources to do so?
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.