The Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) issued two reports  yesterday calling for the HHS Office of Civil Rights (OCR) to strengthen its Health Insurance Portability and Accountability Act (HIPAA) enforcement efforts.   In response to these reports, HHS announced that it will launch HIPAA audits early next year in order to be more proactive in HIPAA enforcement.

In the OIG report titled “OCR Should Strengthen its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards,” the OIG found that OCR’s actions primarily are reactive in response to complaints made received by OCR.  The OIG also found that in most cases of noncompliance, corrective action by the covered entity was required, but OCR did not have documentation of the outcome or follow-up for 26% of these cases.  Additionally, the OIG found that OCR staff rarely check to see whether the covered entity involved has experienced a previous violation.

In the second OIG report titled “OCR Should Strengthen Its Followup of Breaches of Patient Health Information Reported by Covered entities,” the OIG found that although OCR investigated and documented investigations of most large breaches, OCR did not record information regarding small-breaches in its case-tracking system.  The OIG stated that failure to track these smaller breaches makes it harder for OCR to identify and address covered entities with multiple small breaches.  The OIG  outlined several recommendations as in the two reports, including:

  • Fully implement a permanent audit program;
  • Enter small-breach information into its case-tracking system or a searchable database linked to it;
  • Maintain complete documentation for corrective action;
  • Develop an efficient method in its case-tracking system to search for and track all  covered entities;
  • Develop a policy requiring OCR staff to check whether covered entities previously were investigated and/or reported prior breaches; and
  • Continue to expand outreach and education efforts to covered entities.

In comments published with the report, OCR Should Strengthen its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards, OCR announced that it will begin the next round (Phase 2) of HIPAA audits early next year which will focus both on covered entities and business associates.

Posted by Stephanie Cason

One Comment

  1. […] Civil Rights (OCR) oversight over the security of ePHI. The OIG noted findings from prior OCR and OIG audits that have identified numerous […]


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s