HHS Inspector General: HIPAA Enforcer Not Following Rules

The HHS Office for Civil Rights is doing an inadequate job of enforcing the HIPAA security rule by conducting audits, and has not properly secured its own related information systems, a report from the HHS Office of Inspector General contends.

HHS/OCR has conducted pilot audits and was expected in 2013 to significantly expand the program. The agency, however, told OIG that no funds have been appropriated to maintain a permanent audit program. “We remain concerned about OCR’s ability to comply with the HITECH audit requirement and the resulting limited assurance that ePHI is secure at covered entities because of OCR’s comment regarding limited funding for its audit mandates,” OIG replied in the report.

OIG further questioned OCR’s handling of investigation into violations of the HIPAA security rule. “Although OCR established an investigation process for responding to reported violations of the security rule, its security rule investigation files did not contain required documentation supporting key decisions because its staff did not consistently follow OCR investigation procedures by sufficiently reviewing investigation case documentation,” according to the report. “OCR had not implemented sufficient controls, including supervisory review and documentation retention, to ensure investigators follow investigation policies and procedures for properly initiating, processing and closing Security Rule investigations.”

Neither has OCR complied with federal cybersecurity regulations, specifically the NIST Risk Management Framework, to protect its own information systems that process and store investigation data, “because it focused on system operability to the detriment of system and data security,” the HHS Office of Inspector General concluded. “For example, OCR did not obtain HHS authorization to operate the three systems used to oversee and enforce the security rule. In addition, it did not complete privacy impact assessments, risk analyses or system security plans for two of the three systems. Exploitation of system vulnerabilities, normally identified through the Risk Management process, could impair OCR’s ability to perform functions vital to its mission.”

OIG offered a number of recommendations to increase security of the information systems and provide for periodic HIPAA audits of covered entities, and OCR “generally” agreed with the recommendations and described actions to address them.

“The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule,” is available here

In response to an email requesting comment, the HHS Office for Civil Rights issued the following statement to Health Data Management:

"We appreciate the work of the OIG to ensure strong enforcement of the HIPAA Security Rule. The report found certain administrative and information system documentation deficiencies, all of which were corrected  prior to the final report’s publication. The major recommendation by the OIG was that OCR should implement an audit or audit-type function rather than rely solely on complaints as a means of assessing compliance with the HIPAA Security Rule. OCR is in total agreement with the recommendation of the OIG, and in our response documented for the OIG all the steps we have been taking to pilot and implement an audit program since the conclusion of the OIG field work in 2011. Even without an appropriation, OCR is committed to maintaining a permanent audit program. We are currently evaluating our recent audit pilot experience and incorporating those lessons into the design of that permanent program and future activities. We will share more information on the details of these activities as it becomes available.  Monetary settlements and fines collected to date are used for enforcement and compliance activities, which includes support of OCR’s investigative work."

For reprint and licensing requests for this article, click here.