The Office of Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS) issued two reports  yesterday calling for the HHS Office of Civil Rights (OCR) to strengthen its Health Insurance Portability and Accountability Act (HIPAA) enforcement efforts.   In response to these reports, HHS announced that it will launch HIPAA audits early next year in order to be more proactive in HIPAA enforcement.

In the OIG report titled “OCR Should Strengthen its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards,” the OIG found that OCR’s actions primarily are reactive in response to complaints made received by OCR.  The OIG also found that in most cases of noncompliance, corrective action by the covered entity was required, but OCR did not have documentation of the outcome or follow-up for 26% of these cases.  Additionally, the OIG found that OCR staff rarely check to see whether the covered entity involved has experienced a previous violation.

In the second OIG report titled “OCR Should Strengthen Its Followup of Breaches of Patient Health Information Reported by Covered entities,” the OIG found that although OCR investigated and documented investigations of most large breaches, OCR did not record information regarding small-breaches in its case-tracking system.  The OIG stated that failure to track these smaller breaches makes it harder for OCR to identify and address covered entities with multiple small breaches.  The OIG  outlined several recommendations as in the two reports, including:

  • Fully implement a permanent audit program;
  • Enter small-breach information into its case-tracking system or a searchable database linked to it;
  • Maintain complete documentation for corrective action;
  • Develop an efficient method in its case-tracking system to search for and track all  covered entities;
  • Develop a policy requiring OCR staff to check whether covered entities previously were investigated and/or reported prior breaches; and
  • Continue to expand outreach and education efforts to covered entities.

In comments published with the report, OCR Should Strengthen its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards, OCR announced that it will begin the next round (Phase 2) of HIPAA audits early next year which will focus both on covered entities and business associates.