During 2015, Office of Inspector General (OIG) for the U.S. Department of Health and Human Services (“HHS”) released two reports which threw light on the weakness of HHS’s Office for Civil Rights (“OCR”) and identified that OCR over sighted the enforcement activities of HIPAA and its current program is basically reactive and is not proactively assess the possible noncompliance with HIPAA. The reports observed that the investigations of OCR generally depend on action taken by covered entities such as self-reporting of breaches as well as responding to complaints, tips, or media reports about breaches. OIG recommends that OCR implement the permanent audit program and improve its ability to find out and track earlier breach reports filed by entities in order to identify those that may have systematic problems with HIPAA compliance. The OIG require that the OCR tracks the smaller breaches also along with larger one to know the pattern noncompliance.
Based upon the OIG reports, OCR confirmed that it is complying with the requirements of Breach Notification Rule by insuring strong privacy protections for individuals’ identifiable health information and ensuring that covered entities and their business associates. In response to OIG recommendations of September, OCR stated on 9/23/2015 that it is moving forward with a permanent audit program that would include periodic audits. OCR is confident that Phase 2 of this program will be implemented in early 2016.This phase will test the efficacy of a combination of desk reviews of an entity’s policies as well as on-site reviews. The phase will target specific areas of noncompliance and will also directly target business associates. During coming months, OCR will update the audit protocols; refine the pool of potential audit subjects; and implement screening tools to assess size, entity type, and other information about potential audit subjects.
Further OCR is also updating its electronic document management system and investigations tracking system to enhance its audit program. It has the capacity to track entities’ historical breach reports, including information relating to breaches affecting fewer than 500 individuals, to help OCR identify covered entities’ history of compliance. With this capacity, OCR may now become more proactive with enforcement efforts against entities that experience repeated breaches, whether large or small. It also plans to develop a standardized process that will require all OCR investigators to consistently check for prior breaches submitted by covered entities and their business associates when initiating an investigation.
The phase 2 program is for its covered entities and business associates for HIPAA audit program, both should watch for additional outreach and educational resources issued by OCR, including new audit protocols and other compliance guidance, to help prepare for a potential audit. Covered entities and business associates should also review their own internal processes, including conducting routine security risk assessments, reviewing privacy and security policies and procedures, and undergoing HIPAA compliance training.