OIG Finds Office for Civil Rights Did Not Meet All Requirements For Oversight and Enforcement of the HIPAA Security Rule


According to the Office for the Inspector General (OIG) of the Department of Health & Human Services (HHS), the Office for Civil Rights (OCR) has accomplished certain requirements, but it has not satisfied others that are critical to the oversight and enforcement of the HIPAA Security Rule.  

In its Report, the OIG observed that OCR had accomplished certain oversight and enforcement tasks.  For instance, OCR has provided guidance to covered entities regarding HIPAA Security Rule compliance, established an investigation process for responding to reported violations of the HIPAA Security Rule, and followed Federal regulations when imposing penalties for violations of the HIPAA Security Rule.  However, OIG found that OCR had not assessed risks, established priorities or implemented controls for its HITECH requirement to provide for periodic audits of covered entities to ensure HIPAA Security Rule compliance.  The OIG also concluded that OCR had not implemented sufficient review and supervisory oversight to ensure that its investigators followed investigation policies and procedures to properly initiate, process, or close HIPAA Security Rule investigations.  Additionally, according to the OIG, OCR has not fully complied with Federal cybersecurity criteria included in the National Institute of Standards and Technology (NIST) Risk Management Framework for its use of three HHS information systems, including the Compliance Data System (CDS), the Program Information Management System (PIMS), and the Breach Notification System.  Among other things, OCR did not obtain authorizations to operate the three systems and did not complete privacy impact assessments or risk analyses, or develop a system security plan for the CDS or Breach Notification System.

The OIG has recommended that OCR:

  • Assess the risks, establish priorities, and implement controls for its HITECH auditing requirements;
  • Provide for periodic audits under HITECH to ensure HIPAA Security Rule compliance at covered entities;
  • Implement sufficient oversight controls over HIPAA Security Rule investigations; and
  • Implement the NIST Risk Management Framework for the information systems OCR uses to oversee and enforce the HIPAA Security Rule.

OCR, while generally concurring with the OIG’s recommendations, noted, among other things, that it had engaged KPMG to conduct a pilot audit program of 115 covered entities (47 health plans; 61 health care providers; and 7 clearinghouses).   OCR is evaluating the pilot audit program and plans to make decisions regarding a permanent audit program, which will include audits of business associates.  Importantly, however, OCR also noted the lack of additional funding to maintain a permanent audit program and funds used to conduct and support audit activities expired in December 2012. 

For access to the OIG’s Report, click here.

Reporter, Tracy Weir, Washington, D.C., +1 202 626 2923, tweir@kslaw.com.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:


King & Spalding on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.