The OIG has issued two reports calling for stronger ONC oversight of covered entity compliance with HIPAA standards. In the first report, “OCR Should Strengthen Its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards,” the OIG observes that OCR’s Privacy Rule compliance oversight is primarily reactive based on complaints since it has not fully implemented a required audit program to proactively assess compliance. The OIG recommends that OCR: (1) fully implement a permanent audit program; (2) maintain complete documentation of corrective actions; (3) improve its case-tracking system; (4) require OCR staff to check whether covered entities have been previously investigated; and (5) expand outreach and education efforts to covered entities. OCR concurred with all five recommendations.

In the second report, the OIG called on OCR to strengthen its follow-up of patient health information breaches reported by covered entities to ensure that the covered entities address the compliance problems that led to breaches. Specifically, the OIG called on OCR to improve its case tracking system, corrective action documentation policies, and outreach and education efforts, among other things. OCR agreed with the recommendations.