Reports slam OCR's poor oversight of HIPAA covered entities, breach followup efforts

The Department of Health and Human Services Office for Civil Rights (OCR) needs to improve both its oversight of HIPAA covered entities and its followup on reported breaches, according to a pair of reports from the Office of the Inspector General (OIG).

The former report was based on reviews of a statistical sample of privacy cases investigated by OCR between September 2009 and March 2011. The latter report was based on audits in which OIG reviewed a statistical sample of large breaches--those affecting 500 people or more--and of small breaches over that same time period. OCR staff members also were interviewed for both reports.

For the former report, OIG called OCR's oversight "primarily reactive," adding that OCR has yet to fully implement its audit program to proactively assess possible noncompliance from covered entities. Earlier this month, OCR Director Jocelyn Samuels announced that her agency has selected a vendor to go forward with the second phase of its HIPAA audit program, but did not say when the program would be in full swing.

The latter report determined that 23 percent of large cases in which a HIPAA violation was found had incomplete documentation of the corrective actions taken.

OCR also did not record small-breach information in its case-tracking system, which limits its ability to track organizations with multiple small breaches, according to the second report.

While 61 percent of OCR staff said they checked for prior large breaches at least sometimes, 39 percent rarely or never did so.

The case-tracking system presents its own challenges, the second report found, with limited search functionality. And OCR does not have a standard way to enter covered entities' names in the system, further limiting search accuracy.

For the former report, OIG recommended that OCR fully implement its permanent audit program and maintain complete documentation of corrective action. The latter report recommends OCR enter small-breach information into its case-tracking system or a searchable database linked to it; maintain complete documentation of corrective action; develop an effective search method for prior breaches; require staff to check for prior breaches; and expand outreach and education efforts to covered entities.

In July, St. Elizabeth's Medical Center in Brighton, Mass., agreed to a $218,400 settlement in its HIPAA case, and OCR recently fined Indiana-based radiation oncology practice Cancer Care Group $750,000 for potential HIPAA violations stemming from theft of a laptop in 2012.

Because these investigations take two or three years, we should expect to see a HIPAA noncompliance enforcement action soon against a business associate, privacy attorney Adam Greene said recently. Business associates first became directly liable for HIPAA compliance in September 2013.

To learn more:
- here's the report on oversight of covered entities' compliance with HIPAA
- read the report on followup of breaches of patient information