A report issued by the Department of Health and Human Services Office of Inspector General (“OIG”) concludes that the Office for Civil Rights (“OCR”) did not meet all of its federal requirements for oversight and enforcement of the HIPAA Security Rule. While the report noted OCR met some of these requirements, it also found that:

  • OCR had not assessed the risks, established priorities, or implemented controls for its HITECH requirement to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements.
  • OCR’s Security Rule investigation files did not contain required documentation supporting key decisions because its staff did not consistently follow OCR investigation procedures by sufficiently reviewing investigation case documentation.

OIG also found that OCR had not fully complied with Federal cybersecurity requirements for its information systems used to process and store investigation data. The report recommended that OCR:

  • assess the risks, establish priorities, and implement controls for its HITECH auditing requirements;
  • provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities;
  • implement sufficient controls, including supervisory review and documentation retention, to ensure policies and procedures for Security Rule investigations are followed; and
  • implement the NIST Risk Management Framework for systems used to oversee and enforce the Security Rule.

OCR’s Response. In its response to OIG’s findings, attached as an appendix to the report, OCR generally concurred with OIG’s recommendations and described actions it has taken to address them. OCR’s response to the report provides valuable information to companies as they develop their HIPAA compliance programs, including:

  • From 2008 through 2012, OCR obtained corrective action from covered entities in more than 13,000 cases where they found noncompliance with HIPAA and reached resolution agreements in 11 cases with payments totaling approximately $10 million.
  • The findings from the pilot audits OCR ran in 2012 indicate that covered entities generally have more difficulty complying with the Security Rule than other aspects of HIPAA and that small covered entities struggle with HIPAA compliance in each of the assessment areas – privacy, security and breach notification.
  • Future audits “are less likely to be broad assessments generally across the Rules and more likely to focus on key areas of concern for OCR identified by new initiatives, enforcement concerns, and Departmental priorities.”

OCR’s response also noted that no monies have been appropriated for a permanent audit program. However, covered entities and business associates should not see this lack of funding for a permanent audit program as giving them a pass on HIPAA compliance. The report makes clear that OCR must find a way to meet its audit requirements under HIPAA.

OCR’s recent enforcement activity also demonstrates a commitment to holding companies accountable under HIPAA. In 2013 (through December 20), OCR reached five resolution agreements with payments totaling approximately $3.7 million. These figures from a single calendar year represent nearly half the total number of resolution agreements and payments that OCR obtained over the five-year period from 2008 through 2012.

In this enforcement environment, it is imperative that covered entities and business associates regularly review their HIPAA compliance program and implement ongoing HIPAA training for their employees.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Photo of Michael R. Bertoncini Michael R. Bertoncini

Michael R. Bertoncini is a principal in the Boston, Massachusetts, office of Jackson Lewis. He is a member of the Healthcare industry group and a member of the Higher Education group.

With a background as a former Deputy General Counsel, Michael understands first-hand…

Michael R. Bertoncini is a principal in the Boston, Massachusetts, office of Jackson Lewis. He is a member of the Healthcare industry group and a member of the Higher Education group.

With a background as a former Deputy General Counsel, Michael understands first-hand the competing demands and unique challenges faced by in-house counsel. Before joining Jackson Lewis, he was responsible for all labor and employment law matters for the largest fully integrated community care hospital system in New England. Michael provides timely, practical advice that helps clients achieve their strategic goals while ensuring compliance with legal obligations.

With deep experience in a broad range of industries, Michael has a keen interest in the healthcare, higher education, museum, and arts & music sectors. He is dedicated to supporting clients in these areas, leveraging his extensive experience to address the specific challenges faced by institutions and organizations in these fields.

Michael regularly partners with clients to establish positive employee relations. In labor relations matters, he negotiates collective bargaining agreements on behalf of organized clients, represents clients in labor arbitrations and National Labor Relations Board proceedings, and counsels clients with respect to rights and obligations under collective bargaining agreements and applicable labor and employment laws. He also has extensive experience in advising organizations responding to corporate campaigns and negotiating neutrality agreements.

Michael’s privacy and data security practice focuses on advising clients on complying with HIPAA and other state and federal privacy and data security laws. He reviews and develops policies and procedures, written information security plans and integrated compliance programs to ensure his clients meet their obligations under privacy and data security laws. Michael represents clients in investigations of alleged data breaches and advises them on reporting obligations.. He also conducts workplace training programs on HIPAA compliance and related privacy and data security topics.