OIG Report Criticizes OCR’s HIPAA Enforcement Efforts
December 31, 2013
December 31, 2013
The Office of Inspector General for the U.S. Department of Health & Human Services (OIG) issued a Nov. 21, 2013, report criticizing the HIPAA enforcement efforts of the Department of Health & Human Services Office for Civil Rights (OCR). The report’s title nicely summarizes the OIG’s findings: “The Office for Civil Rights Did Not Meet All Federal Requirements in its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule.”
Examining oversight and compliance efforts in Washington, D.C., and Atlanta between July 2009 and May 2011, the OIG found that OCR did not meet federal requirements for the oversight and enforcement of the HIPAA security rule. According to the OIG’s report, OCR continued to follow a complaint-driven approach to its compliance efforts and did not provide for periodic audits. In addition, the OIG found that OCR’s investigation files did not contain required documentation supporting key decisions.
Notably, when the OIG examined OCR’s computer systems in May 2011, the OIG found that OCR had not fully complied with federal cybersecurity requirements for its information systems used to process and store investigation data.
The OIG made several recommendations to OCR, including that it provide for periodic audits of covered entities to ensure compliance with HIPAA’s security rule. It is possible that the report will result in increased audits of covered entities. Thus, covered entities should assess their HIPAA compliance efforts, including conducting a risk analysis.