Covered Entities Beware: OCR Will Be Increasing HIPAA Security Rule Audits And Enforcement Activities

By: Leslie A. Mariotti

A recent report by the Department of Health and Human Services (HHS) Office of Inspector General (OIG) found that the HHS Office for Civil Rights (OCR) has not met certain requirements critical to the oversight and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The OIG report and recommendations will likely result in an increase in enforcement activity and OCR Security Rule audits of HIPAA Covered Entities.

HIPAA required the HHS to develop national standards for the use and dissemination of health care information, including standards to protect electronic protected health information (ePHI). To satisfy that requirement, HHS published the HIPAA Security Rule, which describes the administrative, physical, and technical safeguards necessary to ensure the confidentiality, integrity, and availability of ePHI. The Health Information Technology for Economic and Clinical Health Act (HITECH) requires OCR to provide for periodic audits to ensure covered entities and their business associates comply with Security Rule requirements.

According to the OIG report, although OCR made available guidance that promoted compliance with the Security Rule, it had not “assessed the risks, established priorities, or implemented controls for its HITECH requirement to provide for periodic audits.” Instead, OCR continued to follow the complaint-driven approach to Security Rule investigations.

OIG found that because OCR did not perform the compliance audits mandated by HITECH, it had limited information about the status of Security Rule compliance at covered entities, and lacked the necessary information about which ePHI was vulnerable.

Further, OIG found that while OCR had established an investigation process for responding to reported violations of the Security Rule, OCR’s Security Rule investigation files did not contain required documentation supporting key decisions made. According to the report, management had not implemented sufficient controls, including supervisory review and documentation retention, to ensure investigators follow investigation policies and procedures for properly initiating, processing, and closing investigations.

Finally, the report found that OCR had not fully complied with federal cybersecurity requirements for its information systems used to process and store investigation data because it focused on system operability to the detriment of system and data security.

OIG recommended that OCR:

  1. assess the risks, establish priorities, and implement controls for its HITECH auditing requirements;
  2. provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities;
  3. implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for Security Rule investigations are followed; and
  4. implement the National Institute of Standards and Technology Risk Management Framework for systems used to oversee and enforce the Security Rule.

A a result of this report, HIPAA Covered Entities and their Business Associates should be prepared for an increase in Security Rule audits and enforcement activity.

OIG’s full Report can be found here:
http://oig.hhs.gov/oas/reports/region4/41105025.pdf

News & Events

Related News

August 20, 2020

Pietragallo Gordon Alfano Bosick & Raspanti LLP, a business and litigation law firm with five offices across Pennsylvania, Ohio, and West Virginia, is proud to announce that nineteen of our distinguished attorneys have been recognized in The Best Lawyers in America® 2021 edition. “The legacy of our law firm is the depth of our courtroom… Read more »

Read More
March 27, 2020

The Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”), which was signed into law today allocates $350 billion for a Paycheck Protection Program (“PPP”) meant to provide immediate relief to small businesses (less than 500 employees) and other eligible entities impacted by the COVID-19 pandemic. Process: The process for securing a PPP loan… Read more »

Read More

Upcoming Events

February 17, 2021

Partner Pamela Coyle Brecht will be moderating a panel at the Federal Bar Association’s virtual 2021 Qui Tam Conference that is taking place February 17-19, 2021. The three-day conference will focus on the False Claims Act in times of crisis, including changes in enforcement priorities that may follow the COVID-19 pandemic. Ms. Brecht’s segment titled,… Read more »

Read More
View More News & Events