Covered Entities Beware: OCR Will Be Increasing HIPAA Security Rule Audits And Enforcement Activities

January 29, 2014

By: Leslie A. Mariotti

A recent report by the Department of Health and Human Services (HHS) Office of Inspector General (OIG) found that the HHS Office for Civil Rights (OCR) has not met certain requirements critical to the oversight and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The OIG report and recommendations will likely result in an increase in enforcement activity and OCR Security Rule audits of HIPAA Covered Entities.

HIPAA required the HHS to develop national standards for the use and dissemination of health care information, including standards to protect electronic protected health information (ePHI). To satisfy that requirement, HHS published the HIPAA Security Rule, which describes the administrative, physical, and technical safeguards necessary to ensure the confidentiality, integrity, and availability of ePHI. The Health Information Technology for Economic and Clinical Health Act (HITECH) requires OCR to provide for periodic audits to ensure covered entities and their business associates comply with Security Rule requirements.

According to the OIG report, although OCR made available guidance that promoted compliance with the Security Rule, it had not “assessed the risks, established priorities, or implemented controls for its HITECH requirement to provide for periodic audits.” Instead, OCR continued to follow the complaint-driven approach to Security Rule investigations.

OIG found that because OCR did not perform the compliance audits mandated by HITECH, it had limited information about the status of Security Rule compliance at covered entities, and lacked the necessary information about which ePHI was vulnerable.

Further, OIG found that while OCR had established an investigation process for responding to reported violations of the Security Rule, OCR’s Security Rule investigation files did not contain required documentation supporting key decisions made. According to the report, management had not implemented sufficient controls, including supervisory review and documentation retention, to ensure investigators follow investigation policies and procedures for properly initiating, processing, and closing investigations.

Finally, the report found that OCR had not fully complied with federal cybersecurity requirements for its information systems used to process and store investigation data because it focused on system operability to the detriment of system and data security.

OIG recommended that OCR:

  1. assess the risks, establish priorities, and implement controls for its HITECH auditing requirements;
  2. provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities;
  3. implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for Security Rule investigations are followed; and
  4. implement the National Institute of Standards and Technology Risk Management Framework for systems used to oversee and enforce the Security Rule.

A a result of this report, HIPAA Covered Entities and their Business Associates should be prepared for an increase in Security Rule audits and enforcement activity.

OIG’s full Report can be found here:
http://oig.hhs.gov/oas/reports/region4/41105025.pdf

News & Events

Related News

20 Pietragallo Lawyers Named in 2022 The Best Lawyers in America and Ones to Watch
August 19, 2021
Pietragallo Gordon Alfano Bosick & Raspanti, LLP is pleased to announce that 20 lawyers have been named as 2022 The Best Lawyers in America and 2022 Ones to Watch, including two lawyers who were recognized for Bet-the-Company Litigation. Read More
Nineteen Pietragallo Attorneys Recognized by The Best Lawyers in America® 2021
August 20, 2020
Pietragallo Gordon Alfano Bosick & Raspanti LLP, a business and litigation law firm with five offices across Pennsylvania, Ohio, and West Virginia, is proud to announce that nineteen of our distinguished attorneys have been recognized in The Best Lawyers in America® 2021 edition. Read More
View More News & Events