The Office of Inspector General (OIG) recently released two reports recommending that the Office of Civil Rights (OCR) strengthen (1) its oversight of covered entity compliance with HIPAA privacy standards, and (2) its follow-up of reported breaches of patient protected health information. OCR is tasked with the responsibility of overseeing and enforcing HIPAA. 

With regard to OCR’s HIPAA privacy oversight, it was recommended that OCR:

  • Fully implement a permanent audit program
  • Maintain complete documentation of corrective action
  • Develop an efficient method in its case-tracking system to search for and track covered entities
  • Develop a policy requiring OCR staff to check whether covered entities have been previously investigated
  • Continue to expand outreach and education efforts to covered entities

Following an analysis of both large and small reported breaches from 2009-2011, the OIG recommended that OCR:

  • Enter small-breach information into its case-tracking system or a searchable database linked to it
  • Maintain complete documentation of corrective action
  • Develop an efficient method in its case-tracking system to search for and track covered entities that reported prior breaches
  • Develop a policy requiring OCR staff to check whether covered entities reported prior breaches
  • Continue to expand outreach and education efforts to covered entities.

The OCR concurred in all recommendations made by OIG.  Attached to the reports are the OCR comments to the recommendations and specific responsive actions.  Most notably, OCR stated that in early 2016 it will launch Phase 2 of its audit program using a combination of “desk” reviews of policies and procedures and on-site audits.  The audits will include HIPAA business associates.

These reports are part of a series of biannual reports analyzing the OCR’s oversight and enforcement activities.  In May 2011, the OIG found that ePHI in hospitals was subject to significant vulnerabilities to unauthorized access, use and disclosure.  The November 2013 report found that OCR failed to meet all Federal requirements in oversight and enforcement of the HIPAA Security Rule.