Mr. Jamie D. Scott of M/S Graydon Head & Retchey LLP noticed that due to publicity HIPAA privacy and security breaches have been a highlighted item in the news this year. This publicity has increased the public awareness regarding the HIPAA breaches which has put enormous pressure on the Department of Health and Human Services’ Office of Civil Rights (“OCR”) for the vigorous enforcement. After the recently release of a report by the HHS Office of the Inspector General, summarizing the internal investigations of enforcement practices of OCR.
The report pinpointed few cases of triage deficiencies, where OCR was not serious regarding overlooking systematic HIPAA errors by the repeated breach-filers due to case-tracking database flaws. OCR investigated the HIPAA security breach reported by any covered entity, including a group health plan to confirm the covered entity has complied with HIPAA’s breach requirements, guarantying that the entity has corrected any security deficiencies, and assess appropriate penalties. Some OCR investigators are not checking the database before starting new investigations. It was also pointed out in the report that OCR had not collected sufficient documentation to confirm at a covered entity fully corrected its prior deficiencies, in approximately 25% investigations and OCR agreed to be more thorough in future investigations. If OCR is more firm in its enforcement system, the investigations of breach on the report of covered entities.
The timings of Inspector General’s report matched with the OCR’s planning to send to surveys covet entities for “Phase 2” of HIPAA audit program. These Phase 2 audits will be started without the reporting of any breach report, and are expected to start during this winter.