Watch for agency to get more aggressive, experts caution.
As if you didn’t have enough to worry about regarding the HHS Office for Civil Rights’ increasingly punishing HIPAA enforcement actions — now, a new government watchdog report says that OCR isn’t doing enough to crack down on HIPAA violations.
The HHS Office of Inspector General released a report that examines whether OCR is providing sufficient oversight responsibilities. And the report is critical of the OCR’s HIPAA enforcement performance, “effectively giving OCR ‘something to prove,’” according to a recent analysis by attorneys Dianne Bourque and Jordan Cohen for law firm Mintz Levin.
The OIG studied statistical samples of privacy cases that OCR investigated, as well as surveys of OCR staff and interviews with OCR officials, Bourque and Cohen said. And after examining this data, the OIG decided that OCR’s oversight is lacking in several areas.
For example: OCR’s oversight is “primarily reactive,” with investigations of possible noncompliance largely in response to complaints, the
OIG criticized. And OCR has not fully implemented the required audit program to proactively assess possible noncompliance among covered entities (CEs).
Also: OCR failed to obtain complete documentation of corrective actions that CEs had taken in 24 percent of cases where OCR requested corrective action. And some OCR staff rarely or never checked to determine whether the OCR or another enforcement entity had investigated a CE. The staff’s failure in this task may be due to the limited functionality of the OCR’s case tracking system, the OIG said.
Red flag: More than one-quarter of Medicare Part B providers did not address all of the applicable HIPAAPrivacy Rule standards and may therefore be failing to adequately safeguard protected health information, the OIG warned.
The OIG recommended that the OCR should fully implement a permanent audit program, maintain complete documentation of corrective actions, and continue to expand outreach and education efforts to CEs, according to Bourque and Cohen. The OIG also recommended that the OCR develop an efficient method in its case-tracking system to search for and track CEs, as well as develop a policy requiring OCR staff to check for previous investigations of CEs.
Significance: “The OIG’s report comes amidst the impending start of OCR’s Phase II audit program,” Bourque and Cohen wrote. “Whether the OIG’s report will impact how OCR conducts its Phase II audits, if at all, remains to be seen. However, it is not inconceivable that OCR could feel pressured to more aggressively investigate potential Privacy Rule noncompliance, and [CEs] would be well-served to ensure that they are ready to respond to such audits.”
Note: To read the OIG’s report, go to http://=oig.hhs.gov/oei/reports/oei-09-10-00510.pdf.