On Wednesday, December 4, 2013, the HHS Office of Inspector General (OIG) issued a report raising concerns about the adequacy of the HHS Office for Civil Rights’ (OCR) oversight and enforcement of HIPAA’s Security Rule. The Security Rule establishes the administrative, physical, and technical safeguards that covered entities and their business associates are required to implement in order to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The HITECH Act requires HHS to conduct periodic audits of covered entities to ensure compliance with the Security Rule and other HIPAA requirements. 

The OIG found that OCR did not meet Federal requirements critical to the oversight and enforcement of the Security Rule. Instead of conducting periodic audits, the OIG found that OCR had continued to follow its pre-HITECH Act complaint-driven approach to Security Rule compliance, resulting in limited information about the status of Security Rule compliance at covered entities and business associates. The OIG also found that OCR’s files on the Security Rule investigations it conducted often lacked documentation to support key decisions.

The OIG recommended that OCR begin conducting periodic audits and implement sufficient controls to ensure that its investigation policies and procedures are followed.

On the OIG’s findings with respect to Security Rule compliance auditing, OCR responded to the OIG by citing its pilot audit program, which began in November 2011. In our November 30, 2011, March 7, 2012 and June 26, 2012 posts, we discussed OCR’s audit pilot program and the audit protocols being implemented in its pilot program. The pilot audit program was developed pursuant to the requirements of the HITECH Act. Pursuant to the pilot program, a total of 115 covered entities were audited for compliance with the HIPAA Privacy, Security, and Breach Notification Rules in 2011-2012. Under a contract with OCR, PWC, LLP is currently engaged in an evaluation of the pilot audit program (2013).

On December 4, OCR made a presentation to a meeting of the Health IT Policy Committee, an advisory committee to the HHS Office of the National Coordinator for Health Information Technology. The presentation covered, among other topics, a discussion of some of the findings of its pilot audit program. Susan McAndrew, OCR’s Deputy Director for Health Information Privacy, noted that the Security Rule accounted for 60% of the findings and observations in the pilot program, although it was only 28% of the potential total. On the health care provider side, nearly all the entities audited had at least one security-related compliance issue. Two-thirds of all the entities audited in the pilot program did not have a complete and accurate Security Rule risk assessment. The most common Security Rule issues identified by the pilot audit program involved risk assessment, electronic media movement and disposal, and audit controls and monitoring. Most of the entities reported that they were unaware of the requirements they failed to meet. After OCR and its contractor complete an evaluation of the pilot audit program, OCR will determine follow up and next steps for its audit program, including creation of technical assistance, determination of where individual follow up is appropriate, and identification of leading (best) practices. It will also revise the audit protocol to reflect the requirements of the Omnibus Rule, and make decisions about ongoing audit program design and focus.

n its comments to the OIG report, OCR stated that it will make decisions about a permanent audit program based on the evaluation being conducted of the pilot audit program. Those decisions will include the strategy and process for audits of business associates and a development of program priorities. OCR commented that, instead of broadly auditing covered entities and business associates with respect to compliance with the HIPAA Privacy, Security, and Breach Notification Rules, its future audits will likely focus on key areas of concern for OCR identified by new initiatives, enforcement concerns, and Departmental priorities.

In addition to OCR’s failure to implement periodic audits, the OIG found that the OCR had not fully complied with Federal cybersecurity requirements for its information systems used to process and store investigation data. Exploitation of system vulnerabilities could impair OCR’s ability to perform functions vital to its mission. The OIG recommended that OCR implement the NIST Risk Management Framework for systems used to oversee and enforce the Security Rule.