The Office of Inspector General’s (OIG) recently released Privacy Standards report assessed the Office for Civil Rights’ (OCR) oversight of covered entities’ compliance with the Privacy Rule as well as the extent to which Medicare Part B providers are aware of HIPAA privacy standards. To that end, the OIG found that Part B providers fell short in establishing sanctions policies for staff and in providing some or all of their staffs with training on policies and procedures for addressing protected health information (PHI). The report also concluded that OCR’s faulty case tracking system, coupled with poor follow-up on covered entities with a history of repeated noncompliance, impeded OCR’s proactive enforcement of the Privacy Rule.

Specifically, the OIG found that almost one-third of OCR staff did not include in their investigations whether covered entities had previously been the subject of an OCR investigation or a corrective action plan. OCR had no process or procedure to ensure that its staff looked into the history of covered entities with OCR. As a result, the OIG identified 44 covered entities OCR had investigated more than once, nearly half of which had been investigated by OCR at least five times each.

The OIG recommended that OCR

  • fully implement a permanent audit program;
  • maintain complete documentation in the OCR’s information management system of corrective action;
  • develop an efficient method to search for and track covered entities’ histories of being investigated;
  • develop a policy requiring OCR staff to check whether covered entities have previously been investigated; and
  • continue to expand outreach and education efforts to Medicare Part B providers.

OCR has already taken steps to address four of the five OIG recommendations in response to this report, including implementing better case tracking in its case management system. OCR has indicated that it will widen its enforcement focus to business associates and areas of repeated noncompliance. OIG’s report identified that covered entities were frequently found noncompliant in two areas: first, in meeting the standard for restricting uses and disclosures of PHI and second, in meeting the standard for implementing administrative, physical, and technical safeguards.

OCR plans to initiate Phase 2 of its audit program in early 2016. The Phase 2 audits will target areas with a history of noncompliance by covered entities, include business associates, and at this time reportedly include a mix of desk and on-site reviews.

In anticipation of the 2016 Phase 2 audits, covered entities and business associates should consider reviewing and evaluating their policies and procedures for compliance with the Privacy, Security and Breach Notification rules, as well as their education efforts aimed at training staff on the appropriate uses and disclosures of PHI.