In a December 4 report, the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) found that the HHS Office for Civil Rights (OCR) did not meet all federal requirements critical to the oversight and enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
Although OCR did meet some requirements, OIG identified key areas where oversight was lacking. Under the Health Information Technology for Economic and Clinical Health Act (HITECH), OCR is required to provide periodic audits to ensure covered entities and their business associates comply with Security Rule requirements. The OIG report found that OCR had not implemented such periodic audits of covered entities and their business associates to ensure compliance with Security Rule requirements; and instead continued to follow a complaint-driven approach.
Additionally, the OIG report found that because management had not implemented sufficient controls, OCR's Security Rule investigation files did not contain required documentation supporting key decisions. Specifically, 39 of 60 selected records were missing one or more of the documents necessary to initiate, process or close those investigations.
Further, OIG reported that OCR had not fully complied with federal cyber security requirements for its information systems used to process and store investigation data “because it focused on system operability to the detriment of system and data security.”
To remedy these deficiencies, OIG recommended that OCR:
- Assess the risks, establish priorities and implement controls for its HITECH auditing requirements;
- Provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities;
- Implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for Security Rule investigations are followed;
- Implement the National Institute of Standards and Technology (NIST) Risk Management Framework for systems used to oversee and enforce the Security Rule.
According to the OIG, OCR generally concurred with its recommendations and commented on the actions it has taken to address them. In commenting on the report, OCR said no funds had been appropriated for it to maintain a permanent audit program and that funds used to support audit activities in the past were no longer available. OIG responded that it remains concerned with OCR’s ability to provide the required oversight.