The U.S. Department of Health and Human Services’ Office of Inspector General (OIG) recently issued a report reviewing the HIPAA audit program that is administered by the Office of Civil Rights (OCR). The OCR is responsible for enforcing the regulations enacted under HIPAA, including Privacy, Security and Breach Notification rules. The OIG report, bluntly titled: “OCR SHOULD STRENGTHEN ITS OVERSIGHT OF COVERED ENTITIES’ COMPLIANCE WITH THE HIPAA PRIVACY STANDARDS” was critical of the OCR for its lack of enforcement under HIPAA. As a remedy, the OIG recommended that OCR:
- Fully implement a permanent audit program,
- Maintain complete documentation of corrective actions,
- Develop an efficient method to search for and track covered entities,
- Develop a policy that requires OCR staff to check whether covered entities have been investigated previously, and
- Continue to expand outreach and education efforts.
In response, the Office of Civil Rights concurred with each of OIG’s recommendations and noted that OCR will launch Phase 2 of its audit program in early 2016. OCR indicated that it will update its audit protocols soon. The audit program will continue to use both (1) desk reviews of policies as well as (2) on-site inspections. OCR stated that this new audit program will target specific common areas of noncompliance and will include audits of business associates.
Along with its report regarding OCR’s lack of enforcement under HIPAA, the Office of Inspector General issued a related report, also critical of the OCR, “OCR SHOULD STRENGTHEN ITS FOLLOWUP OF BREACHES OF PATIENT HEALTH INFORMATION REPORTED BY COVERED ENTITIES”. In that report, the OIG found that “although OCR documented corrective action for most of the closed large-breach cases in which it made determinations of noncompliance, 23% of cases had incomplete documentation of corrective actions taken by covered entities. OCR also did not record small-breach information in its case-tracking system, which limits its ability to track and identify covered entities with multiple small breaches.”
With OCR’s launch of the HIPAA audit program in early 2016, both covered entities and business associates should consider keeping a watch for resources issued by OCR, including new audit protocols, in order to be prepared for a potential audit. Stay tuned for more details.