HIPAA privacy and security breaches have been a hot item in the news this year thanks to the publicity surrounding the Anthem hacks. All of the publicity has increased public awareness regarding HIPAA breaches and has put significant pressure on the Department of Health and Human Services’ Office of Civil Rights (“OCR”) to start flexing its enforcement muscle. Now, it looks like the pressure is coming internally as well since the HHS Office of the Inspector General recently released a report summarizing its internal investigation of OCR’s enforcement practices.
The report highlights a few triage deficiencies. Specifically, OCR may be overlooking systemic HIPAA errors by repeat breach-filers due to case-tracking database flaws. Whenever a covered entity, including a group health plan, reports a HIPAA security breach, OCR investigates in order to confirm the covered entity has complied with HIPAA’s breach requirements, ensure the entity has corrected any security deficiencies, and assess appropriate penalties. But, some OCR investigators have not been searching the database for prior filings before opening a new investigation. The report also notes that in almost 25% of the investigations, OCR did not gather sufficient documentation to confirm that a covered entity fully corrected its prior deficiencies. As a result of the report, OCR has agreed to be more thorough in future investigations. If OCR starts tightening up its enforcement screws, covered entities that report a breach are likely in for a far more vigorous investigation.
The Inspector General’s report was especially timely since OCR also has been sending out surveys to covered entities in preparation for the commencement of the ominous-sounding “Phase 2" of its HIPAA audit program. These Phase 2 audits may be initiated without being triggered by a breach report, and are scheduled to commence this fall.
It looks like now would be a good time to review (or develop) your HIPAA policies and procedures, and consider a self-audit of your HIPAA security practices to avoid having to report a breach and answer to an invigorated OCR.