The Department of Health and Human Services Office of Inspector General (“OIG”) has issued a report that is critical of the Office for Civil Rights (“OCR”). OIG concluded that OCR is not fulfilling its responsibility to enforce HIPAA regulations that safeguard protected health information (PHI) and to ensure that organizations protect patient’s privacy.
Here are some highlights of the report:
- OCR should strengthen its oversight of covered entities’ compliance with the Privacy Rule. OCR’s oversight is primarily reactive; it investigates possible noncompliance primarily in response to complaints.
- OCR has not fully implemented the required audit program to proactively assess possible noncompliance from covered entities.
- OCR’s internal reporting and tracking of corrective actions needs to be upgraded.
Here are OIG’s recommendations:
- OCR should fully implement a permanent audit program
- Maintain complete documentation of corrective action
- Develop an efficient method in its case-tracking system to search for and track covered entities
- Develop a policy requiring OCR staff to check whether covered entities have been previously investigated
- Continue to expand outreach and education efforts to covered entities
OCR generally agreed with OIG’s findings and recommendations. They are in the process of upgrading their case management system and implementing some process changes to better manage cases and corrective actions.
OCR’s response to implementing a permanent audit program was very interesting. They made it clear that they are fully committed to implementing the program which is scheduled to begin in early 2016. But they also made it clear that there is not adequate funding for a permanent audit program:
The scope and structure of the audit program long-term will ultimately depend upon the availability and allocation of resource for the program.
It appears that OCR is caught between the requirement that a permanent HIPAA audit program be put in place and the lack of funding to implement a permanent HIPAA audit program. This is the second report from OIG that has been critical of OCR. OCR is feeling the heat to implement the audit program. OCR has said in the past that it might use funds collected from HIPAA fines to fund its budget. So while a far reaching HIPAA audit program may not be implemented in the near future, organizations that come under the OCR compliance microscope should expect to see large fines to help fund the OCR budget and to make an example for other healthcare organizations. The odds that an organization is randomly selected for a HIPAA audit are low but those that are selected may serve as the poster child of OCR enforcement.