OIG Faults OCR Breach Investigations

An audit of how well the HHS Office for Civil Rights follows up investigations of breaches of protected health information has found that OCR may not adequately consider the level of resources available to the agency.


An audit of how well the HHS Office for Civil Rights follows up investigations of breaches of protected health information has found that OCR may not adequately consider the level of resources available to the agency.

Nonetheless, one recommendation from the HHS Office of Inspector General, which did a study of how OCR conducts investigations, may be more harmful than good, says Adam Greene, a former OCR official and now a partner in the Davis Wright Tremaine law firm in Washington.

OIG found that OCR investigates large breaches affecting at least 500 individuals as is required, and almost always finds noncompliance with at least one HIPAA standard. “Although OCR documented corrective action for most of the closed large breach cases in which it made determinations of noncompliance, 23 percent of cases had incomplete documentation of corrective actions taken by covered entities,” according to OIG.

Also See: Facing a HIPAA Audit? Here is Want Auditors Want

But while OIG would like to see cases properly closed, OCR and the industry as a whole might be better off closing cases on a promise to mitigate vulnerabilities, Greene believes. Not fully resolving each case but getting the promise enables OCR to spend more resources on other cases.

Also, rather than spending time fully closing cases in which covered entities already have agreed to make security improvements, Green would like to see OCR finish long-needed industry guidance on what constitutes a “compromise” of protected health information to better determine if a breach really needs to be reported.

The question is, if a “compromise” happened because information was inadvertently accessed but not used or disclosed, is it a breach worth reporting?

In these cases, HIPAA covered entities are required to consider four factors in deciding if a breach is reportable. The factors are the nature of information including sensitivity and identifiability, the nature of the recipient such as whether it is a covered entity, the type of information actually accessed or viewed, and the success of efforts to mitigate the problem.

Greene says the problem is that two covered entities can apply the four factors to substantially the same type of incident and decide differently whether there has been a compromise of protected health information.

Better guidance on this and other issues from OCR would be helpful to the industry, Greene argues. But when looking to see how HIPAA can be improved, the issues raised by OIG are not at the top of the list.

OCR did not respond to a request for comment on the report, which is available here.

More for you

Loading data for hdm_tax_topic #care-team-experience...