In two recent reports, each with a specific focus, the OIG strongly recommended that the Office for Civil Rights (OCR) step up its HIPAA oversight and enforcement activities. One report assessed the OCR’s oversight of covered entities’ compliance with the HIPAA privacy rule and the second analyzed the OCR’s enforcement related to reported breaches. In conducting its analysis under both reports, the OIG reviewed closed cases involving alleged or actual violations of HIPAA privacy requirements and previously reported breaches. The analysis also involved surveys of OCR staff and interviews with OCR officials. The OIG’s findings and recommendations are summarized below.
The OIG took issue with the fact that, rather than proactive initiatives, the OCR’s oversight activities are primarily reactive in response to complaints, self-reporting (in the context of a breach), tips or media reports. The OCR stated that it has not fully implemented its proactive audit program, as mandated by HITECH Act, which is to assess covered entities’ compliance with the privacy standards. Accordingly, the OIG recommended that the OCR implement a permanent audit program to supplement the OCR’s investigation activities.
The OCR concurred with OIG’s recommendations and noted that it will be launching a permanent audit program in early 2016 to include both desk reviews and onsite reviews. These audits will also include HIPAA business associates. Notwithstanding the anticipated audit program, the OCR noted that budgetary constraints have presented an obstacle to the OCR implementing additional responsibilities as may have been required. Accordingly, the OCR stated, the longevity of the audit program will depend on the availability of necessary resources.