OIG slams HHS Office of Civil Rights on HIPAA security oversight

The HHS Office of the Inspector General (“OIG”) recently published a report highly critical of the HHS’ Office of Civil Rights (OCR). The OCR is responsible for administering and enforcing HIPAA’s privacy, security and breach notification rules. It also issues guidance so that covered entities and business associates can achieve compliance with HIPAA’s security rule. According to the OCR, its guidance “will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (‘ePHI’).”¹

After reading the OIG’s report, “The Office for Civil Rights Did Not Meet All Federal Requirements in its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule,” one wonders who is guiding OCR.²

In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health Act (HITECH), which expanded the scope of the Security Rule to business associates of covered entities.³ Specifically, covered entities and their business associates may be subject to civil money penalties (CMP) for failing to comply with the security rule’s provisions. Violations constituting willful neglect may trigger a CMP of up to $50,000 and $1.5 million per year with no maximum for multiple violations. HITECH also requires, among other things, that “The Secretary shall provide for periodic audits to ensure that covered entities and business associates… comply with such [HIPAA] requirements.” (Emphasis added.)

The OIG report notes that the OCR failed to provide for the mandatory audits of covered entities, as required by the security rule. Nor had the OCR assessed which entities and systems involved with the processing and storage of ePHI were at the greatest risk of vulnerability. According to the OIG report, OCR failed to assess the risks, establish priorities, and implement controls for the Security Rule and HITECH requirements.

Instead, the OCR focused on security rule investigations that were generated by press reports, reported breaches that involved more than 500 individuals and public complaints. In response, the OCR claimed it lacked “sufficient resources to expand its compliance efforts.” Additionally, the OCR did not have the necessary expertise to fulfill its obligation pursuant to the security rule and HITECH, noted the OIG.

As a result of the OCR’s failure to perform the mandatory compliance audits, it lacked knowledge of security rule compliance at covered entities. Consequently, it was unable to provide assurances that ePHI was secure. In some cases, the OCR security rule investigations were missing documentation which the OIG attributed to a failure of the OCR personnel to follow policies and procedures as well as inadequate supervisory review to ensure that the OCR’s investigators were properly managing investigations.

As if the scathing criticism above was not troubling enough, the OIG also determined that the computer systems used by the OCR to store, retrieve and track security rule oversight and enforcement actions were not compliant with federal cybersecurity requirements. While the OCR responded that it generally concurred with the recommendations of the OIG, it also noted that “no monies have been appropriated for the OCR to maintain a permanent audit program.”⁴ Regarding its failure to meet federal cybersecurity requirements, the OCR noted that since the OIG review, it has taken steps to assure its compliance with applicable requirements.

Whether or not Congress appropriates additional funding in the near term to enable the OCR to conduct its mandatory audits, it would be prudent for covered entities and their business associates to proactively ensure compliance with HIPAA and the HITECH requirements. The OCR may not have been compliant with meeting all Federal mandates, as the OIG determined. However, covered entities and their business associates do not have the luxury of non-compliance.

REFERENCES

¹ HHS Press Release, Guidance on Risk Analysis Requirements under the HIPAA Security Rule. July 14, 2010. Available online at: https://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf. Accessed on December 6, 2013.

² HHS Office of the Inspector General, The Office for Civil Rights Did Not Meet All Federal Requirements in its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule, A-04-11-05025 November 2013. Available online at: https://oig.hhs.gov/oas/reports/region4/41105025.pdf.

³ Medical devices that collect, maintain and/or communicate ePHI are covered by HITECH. The expansive application of HITECH encompasses both wired and wireless healthcare technology devices found throughout the clinical environment.

⁴ Funding for OCR’s oversight and enforcement of the Security Rule was appropriated by the American Recovery and Reinvestment Act of 2009 and expired in December 2012, according to OCR.

Alan C. Horowitz

Alan C. Horowitz, Esq., is a partner at Arnall Golden Gregory LLP, where he focuses his legal practice on regulatory compliance for skilled nursing homes, hospices and home health agencies and manages cases where the Centers for Medicare and Medicaid Services (CMS) has imposed an enforcement action. He is a former assistant regional counsel Office of the General Counsel, U.S. Department of Health and Human Services. As counsel to CMS, he was involved with hundreds of enforcement actions and successfully handled appeals before administrative law judges, the HHS Departmental Appeal Board and in federal court. He also has clinical healthcare experience as a registered respiratory therapist and registered nurse. He can be reached at alan.horowitz@agg.com.