This entry is part 43 of 60 in the series HIPAA Security Risk Analysis Tips

HIPAA Risk Analysis Tip – OCR to Increase Security Rule Enforcement

On July 27, 2009, HHS delegated the authority for the oversight and enforcement of the Security Rule to the Office for Civil Rights (OCR).  Previously, enforcement of the Security Rule was to have been undertaken by the Centers for Medicare and Medicaid Services (CMS).  In prior reports (2008 and 2011), the Office of the Inspector General (OIG) in the Department of Health and Human Services, had criticized CMS for not having conducted any Security Rule compliance audits of covered entities and not having established any policies or procedures for conducting them.  In the latter,  OIG summarized the results of its reviews of CMS’s oversight and enforcement of Security Rule implementation at seven hospitals located in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas.  The report disclosed numerous control weaknesses at the hospitals and demonstrated the need for greater OCR oversight and enforcement.

Here’s today’s big RISK ANALYSIS TIP – Heads Up – OCR Will Likely Turn Up the Gain on Enforcement!  

In the report entitled THE OFFICE FOR CIVIL RIGHTS DID NOT MEET ALL FEDERAL REQUIREMENTS IN ITS OVERSIGHT  AND ENFORCEMENT OF THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT SECURITY RULE, OCR was cited for properly enforcing many aspects of the Security Rule while being cited for several areas of improvement.

SUMMARY OF FINDINGS (directly excerpted from the report)

OCR met some Federal requirements for oversight and enforcement of the Security Rule. OCROIG on OCR and HIPAA Security Rule Enforcement
made available to covered entities guidance that promoted compliance with the Security Rule and OCR established an investigation process for responding to reported violations of the Security Rule. OCR also followed Federal regulations when imposing penalties for Security Rule violators.

However, OCR did not meet other Federal requirements critical to the oversight and enforcement of the Security Rule:

  • Although OCR made available to covered entities guidance that promoted compliance with the Security Rule, it had not assessed the risks, established priorities, or implemented controls for its HITECH requirement to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements. As a result, OCR had limited assurance that covered entities complied with the Security Rule and missed opportunities to encourage those entities to strengthen their security over ePHI.
  • Although OCR established an investigation process for responding to reported violations of the Security Rule, its Security Rule investigation files did not contain required documentation supporting key decisions because its staff did not consistently follow OCR investigation procedures by sufficiently reviewing investigation case documentation. OCR had not implemented sufficient controls, including supervisory review and documentation retention, to ensure investigators follow investigation policies and procedures for properly initiating, processing, and closing Security Rule investigations.

In addition, OCR had not fully complied with Federal cybersecurity requirements included in the National Institute of Standards and Technology (NIST) Risk Management Framework for its information systems used to process and store investigation data because it focused on system operability to the detriment of system and data security. For example, OCR did not obtain HHS authorizations to operate the three systems used to oversee and enforce the Security Rule. In addition, it did not complete privacy impact assessments, risk analyses, or system security plans for two of the three systems. Exploitation of system vulnerabilities, normally identified through the Risk Management process, could impair OCR’s ability to perform functions vital to its mission.

RECOMMENDATIONS (directly excerpted from the report)

We [OIG] recommend that OCR:

  • assess the risks, establish priorities, and implement controls for its HITECH auditing requirements;
  • provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities;
  • implement sufficient controls, including supervisory review and documentation retention, to ensure policies and procedures for Security Rule investigations are followed; and
  • implement the NIST Risk Management Framework for systems used to oversee and enforce the Security Rule.

OFFICE FOR CIVIL RIGHTS COMMENTS (directly excerpted from the report)

In its comments on our draft report, OCR generally concurred with our recommendations and described the actions it has taken to address them.  In one of its comments, OCR stated that it had contracted for the development of its audit mandate options, had developed an audit protocol, had conducted pilot audits of covered entities, and was evaluating the results of its pilot audit program.  However, OCR explained that no funds had been appropriated for it to maintain a permanent audit program and that funds used to support audit activities previously conducted were no longer available.  OCR also provided technical comments, which we addressed as appropriate. OCR’s comments, excluding technical comments, are included as Appendix B.

OFFICE OF INSPECTOR GENERAL RESPONSE (directly excerpted from the report)

We remain concerned about OCR’s ability to comply with the HITECH audit requirement and the resulting limited assurance that ePHI is secure at covered entities because of OCR’s comment regarding limited funding resources for its audit mandates.  Furthermore, in response to one of OCR’s technical comments, we changed our report language to clarify our finding on OCR’s oversight and enforcement of covered entity compliance with the Security Rule by removing a reference to Security Rule requirements.  Although the Security Rule authorized compliance reviews of covered entities in 2006 by stating that OCR “may conduct compliance reviews to determine” Security Rule compliance, HITECH changed the requirement in 2009 to state that OCR “shall provide for periodic audits to ensure” Security Rule compliance.

Risk Analysis Resources Are Available to You Now

Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Wanna be even more hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like to keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Risk Analysis Tip – Just A Few Laptop RisksHIPAA Risk Analysis Tip – FTC Exerting Data Security Authority >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.