The HHS Office for Civil Rights (OCR) needs to improve and expand its health privacy and data breach enforcement efforts. This was the message delivered by the September 29 release of twin reports by the U.S. Department of Health and Human Services Office of Inspector General (OIG) that assessed OCR’s enforcement of federal health privacy laws. The studies were commissioned out of concern that the failure to adequately safeguard health information can expose large numbers of patients “to privacy invasion, fraud, identity theft, and/or other harm.” The enforcement of the HIPAA privacy laws in the U.S. are viewed as critical to ensuring that vulnerabilities that can lead to data breaches and potential harm to patients are addressed.
The reports, based on OIG review of a statistical sample of cases and breaches from September 2009 to March 2011, surveys of OCR staff, and interviews of OCR officials, focus on OCR’s enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Breach Notification Rule. The first report, OCR Should Strengthen Its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards, suggests that OCR’s enforcement of the HIPAA Privacy Rule is insufficient, failing to proactively assess noncompliance. The second report, OCR Should Strengthen Its Followup of Breaches of Patient Health Information Reported by Covered Entities, indicates that OCR does not adequately investigate or track all data breaches reported by Covered Entities.
Taken together, the reports chronicle perceived deficiencies in OCR enforcement and suggest ways that OCR can improve oversight. The reports list the ways in which OCR plans to address the challenges identified, foreshadowing OCR enforcement priorities going forward. Notably, the agency made clear that it plans to identify a pool of potential audit targets and fully launch the permanent audit program in early 2016.
The reports identify the following HIPAA enforcement concerns:
- OCR’s oversight is too reactive, primarily responding to reported breaches;
- OCR has not fully implemented a permanent audit program;
- OCR should strengthen follow up of reported breaches. Although OCR investigations regularly found areas of noncompliance, too many cases had incomplete documentation of corrective actions;
- OCR does not document information about smaller breaches (i.e., those involving fewer than 500 individuals) in its case-tracking system, limiting its ability to identify organizations experiencing multiple small breaches;
- Although the majority of OCR investigative staff checks “at least sometimes” whether Covered Entities have reported prior breaches, a significant percentage does so rarely or not at all; and
- The OCR case-tracking system has limited search functionality and no standard naming conventions, making it difficult to track an organization’s historical compliance.
To address the deficiencies OIG recommended the following:
- Enter information related to small breaches into the OCR case-tracking system or a searchable database linked to the system;
- Maintain complete documentation of corrective actions;
- Develop an efficient method in the OCR case-tracking system to search for and track prior breaches reported by Covered Entities;
- Develop a policy that requires OCR staff to check whether Covered Entities reported prior breaches;
- Continue to expand outreach and education efforts; and
- Fully implement a permanent audit program.
OCR concurred with all OIG recommendations and described the following efforts to address them:
- The OCR case-tracking system was upgraded in September 2015 so that staff can capture small breach information in the database and search for and track Covered Entities’ history of compliance. OCR is also making further upgrades to the system that will support the audit program;
- OCR will implement policies to ensure that staff reviews Covered Entity compliance history;
- OCR will make staff aware of appropriate procedures for tracking corrective actions;
- OCR plans to launch Phase 2 of the audit program in early 2016. Over the next few months OCR will refine the audit protocols, cull a pool of potential audit subjects, and implement a screening tool to assess information about potential audit subjects. OCR did note that the scope and structure of the program hinges on the availability of resources; and
- OCR will continue its public outreach efforts to raise awareness of its compliance and enforcement programs. Notably, OCR believes the audit program will serve an important outreach and compliance role, in addition to being a potential enforcement mechanism.
The reports signal the importance, for all HIPAA-regulated entities, of maintaining robust privacy and security programs. As OCR Director Jocelyn Samuels recently announced during the eighth annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference, the 2016 audit program will: (1) include both Covered Entities and Business Associates alike and (2) combine desk reviews of policies with on-site reviews, and will target common areas of noncompliance. As HIPAA-regulated entities await OCR’s announcement of the updated audit protocol, they can benchmark their preparedness and HIPAA compliance against the existing protocol and other guidance available on the OCR Health Information Privacywebsite.
In addition, given OCR’s efforts to address the limitations identified with its case-tracking system, HIPAA-regulated entities suffering multiple breaches, however small, may face increased scrutiny. Enforcement risks will likely be heightened by OCRs purported intent to ensure review of historical compliance during its investigations, an effort bolstered by its system upgrades. Furthermore, although OCR reported that it already requires staff to maintain complete documentation of corrective actions, it appears that this area may receive additional attention going forward. Companies suffering data breaches should implement sufficient measures to document investigations and responses, and increase their focus on documenting remediation and corrective actions taken.