Kusserow’s Corner: Failing Grade to HIPAA Security Rule Oversight and Enforcement

The HHS Office of Inspector General’s (OIG) Office of Evaluation and Inspection (OEI) conducted a review of and issued a report (A-04-11-05025) on the Office for Civil Rights (OCR). The stated objectives of the review were whether (1) OCR met federal requirements for providing oversight and enforcement of HIPAA Security for electronic Protected Health Information (ePHI); and (2) OCR’s computer systems, which are used to oversee and enforce the Security Rule, met Federal cybersecurity requirements. The OIG notes that this review followed another related review from 2011, after transfer of the delegation from CMS to OCR for oversight of the Security Rule. The report disclosed a number of weaknesses at hospitals, and demonstrated the need for greater oversight and enforcement by OCR. The OIG recommended OCR continue the compliance-audit process begun by CMS, and implement procedures for conducting compliance reviews. To accomplish their objectives, the OIG:

  • Reviewed the laws and regulations pertaining to ePHI and cybersecurity;
  • Reviewed OCR’s policies, processes, systems, and applications for overseeing and enforcing the Security Rule;
  • Assessed OCR oversight and enforcement of the Security Rule for covered entities;
  • Evaluated the risk assessment OCR used to allocate its oversight and enforcement resources;
  • Reviewed OCR use of Civil Monetary Penalties (CMPs) for violators;
  • Interviewed OCR staff members in Washington, DC, and regional offices to understand their interpretation of and processes for implementing the Security Rule;
  • Assessed OCR guidance to covered entities regarding the Security Rule;
  • Reviewed OCR contracts and interviewed contractors that performed technical analyses and provided recommendations to OCR regarding potential Security Rule violations;
  • Selected 30 closed and 30 open investigations out of 364 on record between 2009-2011; and
  • Interviewed OCR officials responsible for overseeing investigations and supervising staff.

The OIG also examined the investigation process for responding to reported violations. They concluded from their review that OCR did not meet certain federal requirements critical to the oversight and enforcement of the HIPAA Security Rule. They found that OCR:

  • Had not assessed risks, established priorities, or implemented controls for its federal requirements to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements.
  • Did not contain required documentation supporting key decisions made in Security Rule investigation files because management had not implemented sufficient controls, including supervisory review and documentation retention, to ensure investigators follow investigation policies and procedures for properly initiating, processing, and closing Security Rule investigations.
  • Had not fully complied with federal cybersecurity requirements for its information systems used to process and store investigation data because it focused on system operability to the detriment of system and data security.

The OIG recommended that OCR take the following steps:

  1. Assess the risks, establish priorities, and implement controls for its HITECH auditing requirements;
  2. Provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities;
  3. Implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for Security Rule investigations are followed; and
  4. Implement the National Institute of Standards and Technology Risk Management Framework for systems used to oversee and enforce the Security Rule.

In response to the OIG report, OCR generally concurred with the findings and recommendations. In defense, they stated that they had contracted for the development of the audit mandate options, developed an audit protocol, conducted pilot audits of covered entities, and were in the process of evaluating the results. However, they explained that no funds had been appropriated to maintain a permanent audit program, and that funds used to support audit activities previously conducted were no longer available. This comes across as a fairly weak excuse for the problems documented, especially in light of the prior OIG report on the subject.

Overall, the OIG expressed concern about OCR’s ability to comply with the HITECH audit requirements and their comments about giving only limited assurance of being able to carry out their audit mandates due to inadequate funding. The report was presented in a very diplomatic manner. It is the OIG’s custom to provide as much positive feedback as they can when delivering negative findings; however, there was not much of that in this report. The fact is, the scope of the OIG’s review was far broader than what was included in the commentary. Although they reviewed OCR investigations, they made no comment on the quality of those investigations or note on the results. All in all, this had to be a shockwave for OCR. As the former Inspector General, I can say that delivery of a report of this type suggests that only the tip of the iceberg was presented. It does not need a lot of reading between the lines to suggest there is far more to the problems at OCR than directly reported in the report. I believe that as a result of this report, OCR will be forced to act aggressively in carrying out its mandates for HIPAA Security enforcement.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Copyright © 2014 Strategic Management Services, LLC. Published with permission.