Kusserow on Compliance: OIG calls for more proactive oversight of HIPAA

The Office of Inspector General issued a report assessing the Office for Civil Rights’ (OCRs’) oversight of covered entities’ compliance with the HIPAA Privacy Rule and found the agency needed to strengthen its oversight of covered entities’ compliance with the Rule. The OIG found that the OCR’s oversight is not proactive through audits, but instead is primarily reactive in response to complaints. The agency also has not fully implemented the required audit program to proactively assess possible noncompliance from covered entities. In about half of the closed privacy cases, the OCR determined that covered entities were noncompliant with respect to at least one privacy standard. In most cases in which OCR made determinations of noncompliance, it requested corrective action from the covered entities.

Covered entities

Covered entities such as doctors, pharmacies, and health insurance companies that do not adequately safeguard patients’ protected health information (PHI) could expose patients to an invasion of privacy, fraud, identity theft, and/or other harm. PHI includes identifying information like a patient’s name, test results, medical condition, prescriptions, or treatment history. The HIPAA Privacy Rule established standards for sharing, using, and disclosing individuals’ PHI and charged OCR with enforcing covered entities’ compliance with the HIPAA privacy standards.

Report

The OIG reviewed a statistical sample of privacy cases that the OCR investigated, surveyed OCR staff, interviewed OCR officials, reviewed the OCR’s investigation policies, and reviewed a sample of Medicare Part B providers and their documents to determine if they addressed five selected privacy standards. The report determined that the OCR documented corrective action in its case-tracking system for most of these cases. However, it did not have complete documentation of corrective actions taken by the covered entities in 26 percent of closed privacy cases. Interestingly, OCR staff appeared to be haphazard in checking whether covered entities had been previously investigated. In seven out of 10 cases, the staff at least sometimes checked whether covered entities had been previously investigated, but some rarely or never did so. Even when the agency wanted to check, the case-tracking system only allowed for limited search functionality to aid in the effort. Furthermore, the OCR does not have a standard way to enter covered entities’ names in the system.

From the review of the Medicare Part B providers and documents provided, the OIG determined that about 25 percent of providers did not address all five selected privacy standards, which suggest they may not be adequately safeguarding PHI.

Recommendation

The OIG’s report included the following recommendations:

  • Fully implement a permanent audit program;
  • Maintain complete documentation of corrective action;
  • Develop an efficient method to search for and track covered entities;
  • Develop a policy for OCR staff to check if covered entities have been previously investigated; and
  • Continue to expand outreach and education efforts to covered entities.

The OCR concurred with all recommendations and described its activities to address them. This is one of several reports relating to OCR oversight of HIPAA. In another report, the OIG found that the OCR did not meet other federal requirements critical to the oversight and enforcement of the HIPAA Security Rule. The takeaway from this is that the OCR may be expected to step up its audits of covered entities. For more on this topic including tips on how to be prepared for such audits, see “OCR to resume HIPAA audits.”

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2015 Strategic Management Services, LLC. Published with permission.