OIG Study Suggests Increased HIPAA Enforcement
In September 2015, the U.S. Department of Health & Human Services Office of Inspector General (“OIG”) issued two studies concerning the Office for Civil Rights’ (“OCR’s”) oversight of compliance with the HIPAA rules. The first study recommends that OCR strengthen its oversight compliance with the HIPAA Privacy Standards. The second study focuses on follow-up after a breach of protected health information. The OCR generally concurred with the recommendations of both studies. Below is a summary of the OIG’s recommendations to the OCR:
- Develop a permanent audit program. The OIG found that, while HITECH mandated audits effective 2010, no permanent audit program has yet begun. It stated that the vast majority of HIPAA investigations continue to be a result of a complaint, media report, or another tip. The OIG believes that the OCR cannot proactively identify HIPAA noncompliance without a permanent audit program. It also found that, in a large percentage of the closed investigations, the OCR had not imposed a resolution agreement or civil monetary penalty with those entities which were not compliant with one or more HIPAA privacy standards.
The OCR responded to this recommendation and stated that Phase 2 audits will begin in early 2016. These audits will cover both Covered Entities and Business Associates and will include a desk review of policies as well as on-site reviews. The OCR also stated it will be updating the audit protocols.
- Better utilize the OCR’s database tracking system. The OIG also recommended that the OCR enhance the Program Information Management System (“PIMS”) to allow more efficient tracking of: (i) small-breach information; (ii) complete documentation of corrective actions; and (iii) prior breaches by covered entities.
The OCR stated that it has plans to update the PIMS functionality for the increase in audits. The OCR also plans to add procedures to ensure that complete documentation of corrective action is added to the PIMS.
- Require the OCR to check whether or not Covered Entities reported prior breaches. The studies found that a majority of the OCR staff at least sometimes checked whether Covered Entities had previously been investigated. However, some of the OCR staff did so rarely or never.
The OCR plans to update its procedures to ensure all staff members search PIMS for a Covered Entity’s breach and compliance history.
- Expand outreach and education efforts. The study found that a number of Medicare enrolled providers lack HIPAA policies and procedures to implement the HIPAA privacy standards. The OIG also stated that a majority of Medicare Part B providers responding to the OIG’s survey conducted as part of the studies expressed an interest in additional HIPAA guidance.
The OCR responded with a list of the resources already available to providers and concurred that it should continue to expand outreach and education efforts.
There are some important takeaways for health care organizations covered by HIPAA. First, OCR’s response provides an indication as to when to expect Phase 2 audits – early 2016. Covered entities and business associates should take the next few months to ensure all HIPAA policies and procedures are accurate and up-to-date. Organizations should also consider mock audits or informal assessments to identify gaps and areas of non-compliance.
Next, a majority of the OIG’s studies centered around the OCR’s tracking system, PIMS. Organizations should expect that the OCR could start following up with its corrective actions to ensure an organization is complying with all requirements. Additionally, as part of the OCR’s efforts to examine an organization’s breach history and patterns of noncompliance, the OCR could ask additional questions or open additional investigations at organizations that have reported multiple breaches or that have been subject to previous OCR investigations and resolution agreements.
Finally, organizations should continue to review and update the organization’s security risk analysis. The security risk analysis is a requirement of HIPAA and allows organizations to identify and mitigate risks to the privacy and security of protected health information.
The OIG studies and recommendations, coupled with the OCR’s responses, indicate that the Federal government intends to step up HIPAA enforcement. This is no surprise given the constant evolution of electronic health information in the digital age. Organizations must prioritize HIPAA privacy and security compliance and take steps to mitigate risks, respond appropriately to privacy and security concerns, and promote HIPAA awareness throughout the organization.
Abigail T. Mohs, Law Clerk