OCR not fully enforcing HIPAA

The Office for Civil Rights, the agency that enforces privacy provisions of HIPAA, has not fully enforced the law's requirements, according to a report from the U.S. Department of Health & Human Services Office of Inspector General.

OCR has not conducted the required audits of covered entities to determine how they handle patient information and has failed to maintain documentation to support key decisions, according to the report.

In addition, it says OCR has focused on interoperability in systems to process and store information to the detriment of system and data security. It criticizes the agency for not completing privacy impact assessments, risk analyses or system security plans for two of the three systems used to oversee the Security Rule.

"Exploitation of system vulnerabilities, normally identified through the risk-management process, could impair OCR's ability to perform functions vital to its mission," the report's authors state.

The report recommends that the agency:

  • Assess the risks, and establish priorities and controls for its auditing requirements.
  • Conduct periodic audits of covered entities to ensure their compliance.
  • Implement sufficient controls, including supervisory review and documentation retention, to ensure policies and procedures for Security Rule investigations are followed.
  • Implement the National Institute of Standards and Technology (NIST) Risk Management Framework for systems used to oversee and enforce the Security Rule.

Among OCR's responses, it noted that no funds have been appropriated for a permanent audit program and the previous funds used for that purpose are no longer available.

"We remain concerned about OCR's ability to comply with the HITECH audit requirement and the resulting limited assurance that ePHI is secure at covered entities because of OCR's comment  regarding limited funding resources for its audit mandates," the report says.

Leon Rodriguez, OCR director, speaking at the HIMSS Privacy and Security Forum in Boston, said the the permanent HIPAA auditing program slated to begin next year will be narrower in scope than the 2012 auditing pilot program.

In the pilot program, a lack of thorough risk analysis was found to be a major weakness. In the permanent program, he said, audits will place a special focus on vulnerabilities that can change from year to year.

Aware of the smaller organizations' difficulties in complying, it is offering guidance and technical assistance to covered entities, as well as business associates.

To learn more:
- read the report (.pdf)