On December 5, 2013, the Office of Inspector General (OIG) reported on the Office for Civil Rights’ (OCR) compliance as of May 2011 with oversight and enforcement of the Security Rule and compliance with federal cybersecurity requirements. The Security Rule implements provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH).
These agency audits and reports, which are statutorily mandated of U.S. Department of Health and Human Services (HHS) departments, examine agency activity and nudge agency departments to “toe the line” to improve agency efficiency and prevent waste, fraud, abuse, and mismanagement. Even though reports may not identify nefarious behavior, the audits serve as a reminder of the previous agency focus and warn of future agency activity based on the auditor’s recommendations. The OIG’s December 5 report follows suit.
Although a read of the audit accounts may imply that the OCR lacked diligence in carrying out its HIPAA and HITECH mandates as far as the Security Rule is concerned, such an interpretation would be only partially true. First, the report assesses the OCR’s activities between July 2009 and May 2011. And, as might be expected, the OCR’s plate has been full since HHS' 2009 delegation of responsibility to the OCR for oversight and enforcement of the Security Rule. The OCR already had more than its share of responsibilities with civil rights and health information privacy obligations. While not minimizing the OIG's concerns, this article does highlight some of the complexities in enforcing a rapidly evolving regulatory regime. And, query, how relevant is a report of activity occurring more than 30 months ago?
The specific responsibilities that the OCR assumed in July 2009 included ensuring that HIPAA-covered entities complied with the Security Rule, investigating and resolving potential HIPAA violations, periodically auditing covered entities, and complying with federal internal control and cybersecurity requirements. Federal regulations gave the OCR leeway either to resolve noncompliance informally or to impose civil monetary penalties. Prior to HHS delegating Security Rule oversight to the OCR, CMS conducted no audits of the rule’s compliance, but rather allowed self-initiated compliance audits of covered entities.
What are the OIG’s Concerns, and What Federal Requirements Did the OCR Fail to Meet?
The OIG states that the OCR did not perform a risk assessment, establish priorities, implement controls for the audits to ensure Security Rule compliance (see OMB Circular A-123), or provide for periodic audits. Because of those failings, the OCR could not ensure covered-entity compliance and “missed opportunities” to encourage compliance.
The OIG has several concerns: (1) The OCR had not assessed by May 2011 which entities and what systems had the greatest risk of electronic protected health information (ePHI) exposure. (2) The OCR continued the joint CMS/OCR complaint-driven approach (as opposed to the required audit approach). (3) The OCR focused more on its civil rights and health privacy oversight and enforcement responsibilities rather than on its risk assessment, control development, and periodic audits for Security Rule compliance. (4) Instead of auditing, the OCR spent resources on Security Rule investigations originating from press reports, large individual volume breaches (i.e., more than 500 individuals), and public complaints.
In its defense, the OCR related its insufficient resources to expand its compliance efforts beyond event-driven compliance investigations (versus audit-driven investigations) and its lack of expertise to carry out Security Rule and HITECH responsibilities. In other words, the Office did not have the capacity or capabilities to audit systems that store PHI and their security controls.
While lack of resources and personnel to carry out responsibilities are understandable, the OIG’s concerns are genuine and important, although weakly voiced. The OIG states that the OCR had only limited assurance of the security of ePHI held by covered entities and conjectures that the OCR might have missed motivating covered entities. Audits might have given the OCR clues as to vulnerabilities and helped it better allocate its resources.
Flawed Documentation of Security Rule Investigations
The OIG discounted the investigation process by which the OCR would respond to reported Security Rule violations that the OCR identified. Upon review, the OIG found that the OCR’s files did not include required documentation that reflected staff key decisions and that staff had not followed OCR procedures. The audit reflected that “39 of 60 selected records were missing 1 or more of the documents necessary to initiate, process, or close those investigations.”
Because the OIG found lacking sufficient controls, including review and documentation, it deemed that the OCR did not have enough assurance that it “identified and mitigated vulnerabilities to ePHI during Security Rule investigations.” As with the previous concern, the OIG concern with respect to document retention is justifiable, particularly given that the OCR has the authority to penalize HIPAA-covered entities and their business associates for “missing” documentation.
Noncompliance with Cybersecurity Requirements
Federal agencies, including the HHS, are required to implement programs for information security (i.e., cybersecurity requirements). Among those requirements are security authorizations, privacy impact assessments, risk analyses, and system security plans. The OIG determined that the OCR systems storing the documentation of Security Rule oversight and enforcement data failed to comply with the cybersecurity requirements under the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF).
Evidently, the OCR used and relied on CMS systems for HIPAA oversight and enforcement and did not focus on securing those systems. According to the OIG, the OCR increased “the risk of unauthorized disclosure or destruction of ePHI” by failing to give sufficient priority to federal cybersecurity requirements and by not completing the NIST requirements. The OIG did recognize that it found “no evidence that anyone had compromised [the] OCR’s sensitive information or information systems.”
The Rest of the Story
As mentioned earlier, the OIG’s report covered July 2009 to May 2011. In his response to the OIG, OCR Director Leon Rodriguez identified the agency’s implementation of significant activities and strategic initiatives designed to monitor and measure covered-entity compliance with the Security Rule and HITECH requirements in the now more than 2½ years since 2011. Important among those activities and initiatives are:
Partnering with HHS in its Federal Health IT Strategic Plan for 2011-2015;
In January 2013, issuing the omnibus rules implementing HITECH’s modifications to the HIPAA privacy, security, breach notification, and enforcement rules;
Enforcing the HIPAA privacy rules by corrective action in connection with more than 13,000 cases, entering into resolution agreements in 11 cases having payments of approximately $10 million, and imposing a $4 million civil monetary penalty in one case;
Developing a host of privacy- and security-oriented technical assistance materials for covered entities and business associates (including e-PHI safeguards, the NIST HIPAA Security Toolkit Application, a video game addressing ePHI security in mobile devices with ONC, two educational videos available through YouTube, and video training modules available on Medscape Internet);
Completing the 115 pilot audits of HIPAA privacy, security, and breach enforcement standards (¼ of which are security standards) conducted by KPMG on covered entities between December 2011 and December 2012;
Evaluating the pilot audit program in 2013 under a contract with PricewaterhouseCoopers;
Merging the two information systems that previously separately tracked administrative and enforcement actions for privacy and security rules (resulting in only one information system) and upgrading that system;
Giving Security Rule case investigators access to subject matter experts with necessary technical certifications; and
Implementing the NIST RMF, including authorizing the OCR’s chief information officer to operate the merged information system and assigning administrative and technical management of the Breach Notification System to the HHS Assistant Secretary for Public Affairs (both NIST RMF requirements).
Given its directives, the OIG fittingly completed its audit responsibilities. And, as indicated, deficiencies existed. But, when one knows the “rest of the story” and recognizes the volume of effort and output exhibited by OCR staff, the number of pages in the omnibus HITECH rule drafted, the inevitable difficulties in merging information systems, and the challenges of overseeing and evaluating pilot audits, even a neophyte HIPAA follower and government critic might offer OCR the benefit of the doubt.