Just in Time for the Phase II Audits: OIG Criticizes OCR’s Enforcement Efforts

Mintz - Health Care Viewpoints
Contact

As HIPAA-regulated entities anxiously await the commencement of the Phase II HIPAA audit program, the Office of the Inspector General (OIG) for the Department of Health and Human Services (HHS) has issued a report critical of the Office for Civil Rights’ (OCR) HIPAA enforcement performance, effectively giving OCR “something to prove.”

The report, released on September 28, 2015, examines whether OCR — the office within HHS charged with enforcing HIPAA — is sufficiently exercising its oversight responsibilities. The OIG specifically focused on whether OCR is sufficiently overseeing covered entities’ compliance with HIPAA’s Privacy Rule.  The OIG found a number of areas where OCR’s oversight is lacking.

To reach its conclusion, the OIG examined statistical samples of privacy cases investigated by OCR, as well as surveys of OCR staff and interviews with OCR officials. After examining this data, the OIG reached the following conclusions:

  • OCR’s oversight is primarily reactive, with OCR investigating possible noncompliance primarily in response to complaints.
  • OCR has not fully implemented the required audit program to proactively assess possible noncompliance from covered entities.
  • In 24 percent of cases where OCR requested corrective action, it subsequently failed to obtain complete documentation of corrective actions taken by the covered entities.
  • Some OCR staff rarely or never checked to see whether a covered entity had been previously investigated. The OIG found that the staff’s failure to check for previous investigations may be due to the limited functionality of its case tracking system.

The OIG’s report also sheds light on Privacy Rule compliance within the Medicare Part B provider community. According to the OIG’s findings, over a quarter of Part B providers did not address all of the applicable Privacy Rule standards, and may therefore be failing to adequately safeguard protected health information.  The OIG’s findings are summarized below:

OIG_findings

Based on its findings, the OIG recommended that the OCR should:

  • Fully implement a permanent audit program;
  • Maintain complete documentation of corrective action;
  • Develop an efficient method in its case-tracking system to search for and track covered entities;
  • Develop a policy requiring OCR staff to check whether covered entities have been previously investigated; and
  • Continue to expand outreach and education efforts to covered entities.

OCR concurred with all five recommendations and described its activities to address them.

The OIG’s report comes amidst the impending start of OCR’s Phase II audit program. Whether the OIG’s report will impact how OCR conducts its Phase 2 audits, if at all, remains to be seen. However, it is not inconceivable that OCR could feel pressured to more aggressively investigate potential Privacy Rule noncompliance, and covered entities would be well-served to ensure that they are ready to respond to such audits. To assist covered entities in their response, we have made available a webinar entitled “The First Rule of How to Survive a HIPAA Audit: Be Prepared” which can be viewed here.

[View source.]

Written by:

Mintz - Health Care Viewpoints
Contact
more
less

Mintz - Health Care Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.