Two recent reports issued by the Office of Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) recommended that HHS’s Office for Civil Rights (“OCR”) should fully implement a permanent audit program and strengthen its follow-up procedures relating to breaches of Protected Health Information (“PHI”). See OCR Should Strengthen Its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards, OEI-09-10-00510 (2015); OCR Should Strengthen Its Followup of Breaches of Patient Health Information Reported by Covered Entities, OEI-09-10-00511 (2015) (“OIG Reports”).
The OIG Reports highlight weaknesses identified in OCR’s HIPAA oversight and enforcement activities and suggest that OCR’s current program is primarily reactive and does not proactively assess possible noncompliance with HIPAA. The OIG noted that OCR’s investigation efforts depend on covered entities’ self-reporting of breaches as well as responding to complaints, tips, or media reports about breaches. In addition to recommending that OCR move forward with implementation of its permanent audit program, the OIG recommended that OCR improve its ability to search for and track prior breach reports filed by entities in order to identify those that may have systematic problems with HIPAA compliance. The OIG wants OCR to not only track large breaches but also smaller breaches that could indicate patterns of noncompliance.
In its responses to the OIG Reports, OCR noted that it is committed to ensuring strong privacy protections for individuals’ identifiable health information and ensuring that covered entities and their business associates comply with requirements of the Breach Notification Rule. In its September 23, 2015 response to the OIG recommendations (attached to OEI-09-10-00510), OCR stated that it is moving forward with a permanent audit program that would include periodic audits. OCR believes that Phase 2 of this program will be implemented in early 2016. This phase will test the efficacy of a combination of desk reviews of an entity’s policies as well as on-site reviews. The phase will target specific areas of noncompliance and will also directly target business associates. Over the next few months, OCR is expected to update audit protocols; refine the pool of potential audit subjects; and implement screening tools to assess size, entity type, and other information about potential audit subjects.
OCR is also updating its electronic document management system and investigations tracking system to enhance its audit program. According to a September 23, 2015 response to the OIG’s recommendations (attached to OEI-09-10-00511), OCR now has the capacity to track entities’ historical breach reports, including information relating to breaches affecting fewer than 500 individuals, to help OCR identify covered entities’ history of compliance. With this capacity, OCR may now become more proactive with enforcement efforts against entities that experience repeated breaches, whether large or small. OCR plans to develop a standardized process that will require all OCR investigators to consistently check for prior breaches submitted by covered entities and their business associates when initiating an investigation.
With OCR’s imminent launch of Phase 2 of their HIPAA audit program, both covered entities and business associates should watch for additional outreach and educational resources issued by OCR, including new audit protocols and other compliance guidance, to help prepare for a potential audit. Covered entities and business associates should also review their own internal processes, including conducting routine security risk assessments, reviewing privacy and security policies and procedures, and undergoing HIPAA compliance training.