According to the Office for the Inspector General (OIG) of the Department of Health & Human Services (HHS), the Office for Civil Rights (OCR) has accomplished certain requirements, but it has not satisfied others that are critical to the oversight and enforcement of the HIPAA Security Rule. 

In its Report, the OIG observed that OCR had accomplished certain oversight and enforcement tasks.  For instance, OCR has provided guidance to covered entities regarding HIPAA Security Rule compliance, established an investigation process for responding to reported violations of the HIPAA Security Rule, and followed Federal regulations when imposing penalties for violations of the HIPAA Security Rule.  However, OIG found that OCR had not assessed risks, established priorities or implemented controls for its HITECH requirement to provide for periodic audits of covered entities to ensure HIPAA Security Rule compliance.  The OIG also concluded that OCR had not implemented sufficient review and supervisory oversight to ensure that its investigators followed investigation policies and procedures to properly initiate, process, or close HIPAA Security Rule investigations.  Additionally, according to the OIG, OCR has not fully complied with Federal cybersecurity criteria included in the National Institute of Standards and Technology (NIST) Risk Management Framework for its use of three HHS information systems, including the Compliance Data System (CDS), the Program Information Management System (PIMS), and the Breach Notification System.  Among other things, OCR did not obtain authorizations to operate the three systems and did not complete privacy impact assessments or risk analyses, or develop a system security plan for the CDS or Breach Notification System.

The OIG has recommended that OCR:

  • Assess the risks, establish priorities, and implement controls for its HITECH auditing requirements;
  • Provide for periodic audits under HITECH to ensure HIPAA Security Rule compliance at covered entities;
  • Implement sufficient oversight controls over HIPAA Security Rule investigations; and
  • Implement the NIST Risk Management Framework for the information systems OCR uses to oversee and enforce the HIPAA Security Rule.

OCR, while generally concurring with the OIG’s recommendations, noted, among other things, that it had engaged KPMG to conduct a pilot audit program of 115 covered entities (47 health plans; 61 health care providers; and 7 clearinghouses).   OCR is evaluating the pilot audit program and plans to make decisions regarding a permanent audit program, which will include audits of business associates.  Importantly, however, OCR also noted the lack of additional funding to maintain a permanent audit program and funds used to conduct and support audit activities expired in December 2012.

For access to the OIG’s Report, click here.