-Subscribe to receive regular updates-
All Posts      Healthcare      Environmental      Finance      Intellectual Property      ERISA      Ebola Legal Resource      Young Lawyers
OIG Recommends Strengthening OCR Oversight of HIPAA Privacy and Breach Follow-up
OIG Recommends Strengthening OCR Oversight of HIPAA Privacy and Breach Follow-up
By Beth Pitman | 10-01-2015

The Office of Inspector General (OIG) recently released two reports recommending that the Office of Civil Rights (OCR) strengthen (1) its oversight of covered entity compliance with HIPAA privacy standards, and (2) its follow-up of reported breaches of patient protected health information. OCR is tasked with the responsibility of overseeing and enforcing HIPAA. 

With regard to OCR’s HIPAA privacy oversight, it was recommended that OCR:

  • Fully implement a permanent audit program
  • Maintain complete documentation of corrective action
  • Develop an efficient method in its case-tracking system to search for and track covered entities
  • Develop a policy requiring OCR staff to check whether covered entities have been previously investigated
  • Continue to expand outreach and education efforts to covered entities

Following an analysis of both large and small reported breaches from 2009-2011, the OIG recommended that OCR:

  • Enter small-breach information into its case-tracking system or a searchable database linked to it
  • Maintain complete documentation of corrective action
  • Develop an efficient method in its case-tracking system to search for and track covered entities that reported prior breaches
  • Develop a policy requiring OCR staff to check whether covered entities reported prior breaches
  • Continue to expand outreach and education efforts to covered entities.

The OCR concurred in all recommendations made by OIG.  Attached to the reports are the OCR comments to the recommendations and specific responsive actions.  Most notably, OCR stated that in early 2016 it will launch Phase 2 of its audit program using a combination of “desk” reviews of policies and procedures and on-site audits.  The audits will include HIPAA business associates.

These reports are part of a series of biannual reports analyzing the OCR’s oversight and enforcement activities.  In May 2011, the OIG found that ePHI in hospitals was subject to significant vulnerabilities to unauthorized access, use and disclosure.  The November 2013 report found that OCR failed to meet all Federal requirements in oversight and enforcement of the HIPAA Security Rule.  

 

Share this post

   
COMMENTS


Author Information

Elizabeth N. Pitman, CHPC
205.226.5704
beth.pitman@wallerlaw.com
website bio