OCR Didn’t Meet HIPAA Security Requirements

Posted on December 27, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Oops — this doesn’t sound good. According to a report from the HHS OIG, the agency’s Office for Civil Rights has failed to meet the requirements for oversight and enforcement of the HIPAA security rule.

The 26-page report spells out several problems with OCR’s enforcement of the security rule, which was expanded by the HITECH ACT of 2009 to demand regular audits of covered healthcare organizations and their business associates. The vulnerabilities found leave procedural holes which could harm OCR’s ability to do its job regarding the security rule, the OIG said.

What was OCR failing to do? Well for one thing, the report contends, OCR had not assessed the risks, established priorities or implemented controls for the audits to ensure their compliance. Another example: OCRs investigation files didn’t contain the required documentation supporting key decisions made by staff, because the staff didn’t consistently follow the offices procedures by reviewing case documentation.

What’s more, the OCR apparently hasn’t been implementing sufficient controls, including supervisory review and documentation retention, to make sure investigators follow policies and procedures for properly managing security rule investigations.

The OIG also found that OCR wasn’t complying with federal cyber security requirements for its own information systems used to process and store data on investigations. Requirements it was neglecting included getting HHS authorizations to operate the system used to oversee and enforce security rule. OCR also failed to complete privacy impact assessments, risk analyses or system security plans for two of its three systems, the OIG concluded.

All told, it seems that if the OCR is going to oversee the privacy rule properly, it had better get its own act together.