January 29, 2014

By: Covered Entities Beware: OCR Will Be Increasing HIPAA Security Rule Audits And Enforcement Activities

A recent report by the Department of Health and Human Services (HHS) Office of Inspector General (OIG) found that the HHS Office for Civil Rights (OCR) has not met certain requirements critical to the oversight and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The OIG report and recommendations will likely result in an increase in enforcement activity and OCR Security Rule audits of HIPAA Covered Entities.

HIPAA required the HHS to develop national standards for the use and dissemination of health care information, including standards to protect electronic protected health information (ePHI). To satisfy that requirement, HHS published the HIPAA Security Rule, which describes the administrative, physical, and technical safeguards necessary to ensure the confidentiality, integrity, and availability of ePHI. The Health Information Technology for Economic and Clinical Health Act (HITECH) requires OCR to provide for periodic audits to ensure covered entities and their business associates comply with Security Rule requirements.

According to the OIG report, although OCR made available guidance that promoted compliance with the Security Rule, it had not “assessed the risks, established priorities, or implemented controls for its HITECH requirement to provide for periodic audits.” Instead, OCR continued to follow the complaint-driven approach to Security Rule investigations.

OIG found that because OCR did not perform the compliance audits mandated by HITECH, it had limited information about the status of Security Rule compliance at covered entities, and lacked the necessary information about which ePHI was vulnerable.

Further, OIG found that while OCR had established an investigation process for responding to reported violations of the Security Rule, OCR’s Security Rule investigation files did not contain required documentation supporting key decisions made. According to the report, management had not implemented sufficient controls, including supervisory review and documentation retention, to ensure investigators follow investigation policies and procedures for properly initiating, processing, and closing investigations.

Finally, the report found that OCR had not fully complied with federal cybersecurity requirements for its information systems used to process and store investigation data because it focused on system operability to the detriment of system and data security.

OIG recommended that OCR:

1. assess the risks, establish priorities, and implement controls for its HITECH auditing requirements;
2. provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities;
3. implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for Security Rule investigations are followed; and
4. implement the National Institute of Standards and Technology Risk Management Framework for systems used to oversee and enforce the Security Rule.

A a result of this report, HIPAA Covered Entities and their Business Associates should be prepared for an increase in Security Rule audits and enforcement activity.

OIG’s full Report can be found here:
http://oig.hhs.gov/oas/reports/region4/41105025.pdf