The HHS Office of the Inspector General (“OIG”) recently published a report highly critical of the HHS’ Office of Civil Rights (OCR). The OCR is responsible for administering and enforcing HIPAA’s privacy, security and breach notification rules. It also issues guidance so that covered entities and business associates can achieve compliance with HIPAA’s security rule. According to the OCR, its guidance “will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (‘ePHI’).”1
After reading the OIG’s report, “The Office for Civil Rights Did Not Meet All Federal Requirements in its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule,” one wonders who is guiding OCR.2
In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health Act (HITECH), which expanded the scope of the Security Rule to business associates of covered entities.3 Specifically, covered entities and their business associates may be subject to civil money penalties (CMP) for failing to comply with the security rule’s provisions. Violations constituting willful neglect may trigger a CMP of up to $50,000 and $1.5 million per year with no maximum for multiple violations. HITECH also requires, among other things, that “The Secretary shall provide for periodic audits to ensure that covered entities and business associates… comply with such [HIPAA] requirements.” (Emphasis added.)
The OIG report notes that the OCR failed to provide for the mandatory audits of covered entities, as required by the security rule. Nor had the OCR assessed which entities and systems involved with the processing and storage of ePHI were at the greatest risk of vulnerability. According to the OIG report, OCR failed to assess the risks, establish priorities, and implement controls for the Security Rule and HITECH requirements.
Instead, the OCR focused on security rule investigations that were generated by press reports, reported breaches that involved more than 500 individuals and public complaints. In response, the OCR claimed it lacked “sufficient resources to expand its compliance efforts.” Additionally, the OCR did not have the necessary expertise to fulfill its obligation pursuant to the security rule and HITECH, noted the OIG.
As a result of the OCR’s failure to perform the mandatory compliance audits, it lacked knowledge of security rule compliance at covered entities. Consequently, it was unable to provide assurances that ePHI was secure. In some cases, the OCR security rule investigations were missing documentation which the OIG attributed to a failure of the OCR personnel to follow policies and procedures as well as inadequate supervisory review to ensure that the OCR’s investigators were properly managing investigations.