The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) must improve its oversight and enforcement of patient information privacy and security rules by “covered entities” and their business associates under the Health Information Portability and Accountability Act (“HIPAA”), according the HHS Office of the Inspector General (“OIG”). The HHS OIG is responsible for improving the efficiency of HHS programs, as well as overseeing HHS institutions, including OCR. Three OIG reports—two released last month and one completed in 2013—assess OCR’s performance of its federally mandated duties between 2009 and 2011. “Covered entities,” including health plans and most health care providers, as well their business associates, should expect to see OCR take a more proactive approach to preventing and investigating HIPAA violations sometime next year.

The first of the September 2015 OIG reports reviewed OCR’s oversight of the HIPAA Breach Notification Rule (“2015 Breach Notification Report”). The Breach Notification Rule requires covered entities to make certain notifications when they discover a breach of unsecured confidential patient data. (The Breach Notification Rule also requires business associates to report breaches to their covered entity customers.)  The 2015 Breach Notification Report concluded that OCR successfully investigated all large-scale breaches affecting 500 or more individuals; and in 93 percent of those cases, OCR determined that covered entities were noncompliant with at least one HIPAA standard. The report, however, chastised OCR’s failure to investigate and record small-breach information in its tracking system. According to the Breach Notification Report, covered entities that experience multiple small breaches might suffer from systematic, yet unaddressed, security problems that could compromise protected health information.

Based on the findings, the 2015 Breach Notification Report recommended that OCR enter small-breach information into its case-tracking system. As of September 2015, however, OCR reported it had already upgraded its case-tracking system, enabling OCR staff to capture small-breach information and track covered entities’ history of compliance with HIPAA standards. The report also suggested that OCR maintain more complete documentation of corrective action by covered entities to better ensure compliance with remedial measures—a problem that OCR reported it will work to address. 

The second September 2015 OIG report studied OCR’s oversight and enforcement of HIPAA’s Privacy Rule (“2015 Privacy Report”). The Privacy Rule sets standards that address how and when covered entities can use, share, and disclose protected health information and also imposes certain obligations on business associates. The 2015 Privacy Report found that OCR had yet to fully implement an audit program required as of February 2010 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and called OCR’s current approach “primarily reactive.” Currently, OCR only investigates Privacy Rule breaches in response to complaints, tips, and media reports. The OIG therefore recommended that OCR fully implement a permanent audit program. In response, OCR described the results of its pilot audit program and reported that it plans to fully implement a permanent audit protocol in 2016. OCR noted, however, that the long-term scope and structure of the audit program will be contingent on the availability and allocation of resources. Once OCR implements its audit program, covered entities and business associates should expect periodic HIPAA compliance audits, rather than OCR relying solely on complaints to initiate investigations of noncompliance.

The pair of reports released in September come almost two years after a November 2013 OIG report on HIPAA’s Security Rule (“2013 Security Report”). The Security Rule outlines the administrative, physical, and technical safeguards that covered entities and business associates must implement in order to maintain the confidentiality, integrity, and availability of electronically-stored protected health information. The 2013 Security Report similarly recommended that OCR implement a permanent audit program to ensure covered entities and business associates comply with the Security Rule. At the time of the Security Report, OCR reported a lack of reliable funding to implement a permanent audit program. 

A compiled copy of the HIPAA Code of Federal Regulation provisions, describing the HIPAA rules and standards discussed herein, can be found here.