Take a look at the Department of Health and Human Services’ Office for Civil Rights website and you will discover relatively few financial penalties have been issued for HIPAA Privacy violations. Even apparently serious violations of HIPAA Rules have not always resulted in financial penalties being issued.
Out of the thousands of data breaches listed on the website, only a tiny percentage have resulted in a financial penalties being issued, with the OCR often favoring other enforcement actions. This has not gone unnoticed by the Office of the Inspector General (OIG). The OIG has just published the findings from two studies conducted on the OCR to assess how well the agency is enforcing HIPAA Rules.
Poor Oversight of HIPAA Covered Entities
The first study was conducted to assess the OCR’s oversight of covered entities’ compliance with the Privacy Rule.
OIG investigators took a sample of Medicare Part B providers that had reported data breaches to the OCR between September 2009 and March 2011. The OIG then assessed the extent to which those organizations had addressed five privacy standards. OCR staff and officials were also interviewed during the study. Investigators discovered a number of issues which the OCR must address to bring its enforcement activities up to the required standard. The report stated in no uncertain terms on the front page, in big bold type, exactly what the agency must do:
“OCR should strengthen its oversight of covered entities’ compliance with the hipaa privacy standards”
The main problem was found to be the OCR’s lack of proactivity in assessing compliance with the Privacy Rule. In an ideal world, the OCR should be conducting random audits to determine whether covered entities are meeting Privacy Rule standards. Such a program would likely find many organizations that are willfully disregarding HIPAA Rules, but the implementation of such a program would also likely spur many organizations into action. If there is a very real chance of being discovered to be in violation of HIPAA Rules, it would be likely to prompt those organizations to take action to address areas of non-compliance.
The OIG found that the OCR primarily investigated possible noncompliance in response to complaints it had received. The OIG said “OCR has not fully implemented the required audit program to proactively assess possible noncompliance from covered entities.”
When violations of the Privacy Rule were discovered, corrective action was requested; however, the “OCR did not have complete documentation of the corrective actions taken by those covered entities in 26 percent of closed privacy cases.”
The OIG investigators also determined that “71 percent of OCR staff at least sometimes checked whether covered entities had been previously investigated, some rarely or never did so.”
These failures can, in part, be explained by the budgetary constraints the OCR has to deal with, although there are other reasons. The investigators found that the OCR’s “case-tracking system has limited search functionality and [that the] OCR does not have a standard way to enter covered entities’ names in the system.”
Regardless of the reasons why enforcement of HIPAA Rules has been lax, the situation cannot continue. The OIG made a number of recommendations that must be addressed to ensure HIPAA standards are met and maintained by covered entities. Those recommendations were:
- To implement a permanent program of HIPAA Privacy Rule compliance audits
- To maintain a complete set of documentation on the corrective actions taken to address Privacy Rule violations
- To implement an efficient method of case-tracking to allow the OCR to track covered entities
- To develop policies to ensure that checks take place to determine whether covered entities have previously been investigated by the OCR for HIPAA violations
- That the OCR should continue to develop and release guidance to aid HIPAA-covered entities with their compliance efforts, and to expand its efforts in this regard
The full OIG report on oversight of compliance efforts can be downloaded here
Breach Follow-up Efforts found to be Lax
The second report detailed a second investigation into the OCR’s efforts to oversee compliance of HIPAA standards. The study assessed entities that had submitted breach reports affecting more than 500 individuals, as well as smaller data breaches affecting fewer than 500 people. The second study covered the same time period as the first study, and involved a similar methodology.
The main instruction that came from the study was:
“OCR should strengthen its follow-up of breaches of patient health information reported by covered entities”
The OCR has previously stated that it investigates all data breaches affecting more than 500 individuals, and this was found to be the true in almost all cases.
The investigators found that while the majority of entities that had submitted breach reports involved at least one violation of a HIPAA standard; however, “23 percent of cases had incomplete documentation of corrective actions taken by covered entities.” While documentation was collected and recorded in its case-tracking system for large-scale data breaches, this was found not to be the case with data breaches affecting fewer than 500 individuals. “OCR also did not record small-breach information in its case-tracking system, which limits its ability to track and identify covered entities with multiple small breaches.”
As a result, a covered entity could suffer multiple data breaches affecting small numbers of patients, but the OCR would not always be able to determine this when investigating the organization for a large–scale data breach. In such a situation, a financial penalty may be appropriate, yet may not be issued based on the information available.
According to the report, “61 percent of OCR staff checked at least sometimes as to whether covered entities had reported prior large breaches, 39 percent rarely or never did so.” As with the first study, the case-tracking system was not up to the task.
The documentation review conducted by the investigators determined that “most [covered entities] addressed all three selected breach administrative standards but 27 percent did not. These providers may not be adequately safeguarding PHI,” the investigators concluded.
The recommendations made by the OIG in its second report were as follows:
- Small-data breach information must be entered into the OCR’s case-tracking system, not only information relating to large-scale data breaches
- Complete documentation must be maintained on all corrective actions taken by covered entities
- The OCR should develop “an efficient method in its case-tracking system to search for and track covered entities that reported prior breaches”
- The OCR must develop a policy that requires OCR staff to check whether covered entities have reported prior breaches
- The OCR must expand outreach and education efforts
The second OIG report on data breach follow-ups can be downloaded here