According to a report published by the Office of the Inspector General (OIG) on November 21, 2013, the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is not adequately overseeing and enforcing the HIPAA Security Rule. 

The OIG’s report, which followed an assessment of OCR’s Security Rule oversight and enforcement activities from July 2009 through May 2011, concluded that:

  • OCR failed to provide for periodic audits, as mandated by HITECH, to ensure that covered entities were in compliance with the Security Rule, and instead continued to follow the complaint-driven approach to assess the status of Security Rule compliance
  • OCR failed to consistently follow its investigation procedures and maintain documentation needed to support key decisions made during investigations conducted in response to reported violations of the Security Rule

To address these findings, the OIG recommended that OCR: (i) assess the risks, establish priorities, and implement controls for its HITECH auditing requirements; (ii) provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities; and (iii) implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for Security Rule investigations are followed.

Separately, the OIG also assessed OCR’s computer systems as of May 2011, and concluded that OCR had not fully complied with the cybersecurity requirements included in the National Institute of Standards and Technology (NIST) Risk Management Framework for its information systems used to process and store investigation data, because it focused on system operability to the detriment of system and data security. As a result, the OIG recommended that OCR implement the NIST Risk Management Framework for systems used to oversee and enforce the Security Rule. 

In response, OCR generally concurred with the recommendations and described the actions it has taken to address the OIG’s concerns since May 2011. Notably, while OCR did initiate a pilot audit program in November 2011 and has subsequently audited 115 covered entities, OCR also explained that the funds used to support those audit activities are no longer available, and no funds have been appropriated for it to maintain a permanent audit program. 

In consideration of the OIG’s report and OCR’s response, the looming questions that remain are how OCR will fund its statutorily required enforcement and compliance activities, and whether covered entities and business associates should expect increased enforcement to help subsidize OCR’s compliance going forward.