The U.S. Department for Health & Human Services’ Office of Inspector General (OIG) has conducted two recent studies calling for tighter enforcement of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (HIPAA).

OCR Should Strengthen Its Oversight of Covered Entities’
Compliance With the HIPAA Privacy Standards

In the first study, the OIG recommends that the Office of Civil Rights (OCR), the government agency responsible for enforcing covered entities’ compliance with the HIPAA Privacy Standards, should strengthen its oversight of these privacy standards. The OIG reviewed a statistical sample of privacy cases investigated by the OCR from September 2009 through March 2011, surveyed and interviewed OCR staff, reviewed the OCR’s investigation policies, and surveyed providers’ compliance with five selected privacy standards.

Based upon this review, the OIG concluded that OCR should strengthen its oversight of covered entities’ compliance with the Privacy Rule. It criticized the OCR’s oversight as “primarily reactive” and suggested they be more proactive by implementing a permanent audit program. The OIG found that the OCR did not have complete documentation of corrective actions taken by the covered entities in 26% of closed privacy cases and recommended that the OCR maintain complete documentation of corrective action.   The OIG also recommended that the OCR develop “an efficient method in its case-tracking system to search for and track covered entities” to check whether covered entities had been previously investigated. Finally, the OIG recommended that the OCR continue to expand outreach and education efforts to covered entities since 27% of the Part B providers surveyed did not comply with select privacy standards. The OIG concluded that “[t]These Part B providers may not be adequately safeguarding PHI.”

OCR Should Strengthen Its Follow Up of Breaches
of Patient Health Information Reported by Covered Entities

In the second study, the OIG recommends that the OCR should strengthen its follow up of breaches of patient health information reported by covered entities. In this study, the OIG reviewed a statistical sample of large and small breaches reported to the OCR from September 2009 through March 2011. The OIG reviewed the OCR’s investigation policies and talked to OCR staff. The OIG also surveyed a sample of Medicare Part B providers and reviewed documents that they provided to determine the extent to which the providers addressed three selected breach administrative standards.

The OIG concluded that the OCR should strengthen its follow up of breaches of PHI reported by covered entities. Similar to its recommendations related to the privacy standards, the OIG criticized the fact that investigators could not, or did not, determine whether the covered entities had prior HIPAA issues because the tracking system was inadequate.   And most of the recommendations relate to this tracking system. The OIG recommended that the OCR enter small-breach information into its case-tracking system or a searchable database linked to it, maintain complete documentation of corrective action, develop an efficient method in its case-tracking system to search for and track covered entities that reported prior breaches, and develop a policy requiring OCR staff to check whether covered entities reported prior breaches. The OIG also recommended that the OCR continue to expand outreach and education efforts to covered entities since its review of the surveys revealed that 27% of Medicare Part B providers did not address all three selected breach administrative standards.

The OCR agreed with the OIG reports so providers can expect to see increased and tightened enforcement of the HIPAA privacy and security rules in the near future.