OIG Issues Report on HIPAA Breaches and Oversight

Oct 22, 2015

When it comes to HIPAA breaches, entity size does not matter. What matters is the Office for Civil Rights (OCR)’s oversight and compliance.

A couple of weeks ago, the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) released dual reports - OCR Should Strengthen Its Oversight of Covered Entities’ Compliance With The HIPAA Privacyand OCR Should Strengthen Its Follow-up Of Breaches Of Patient Health Information Reported By Covered Entities. I plan on addressing some of the highlights of the reports and then will have tips for physicians, regardless of the size of the practice.

As the titles of the two aforementioned reports suggest, the OIG found deficiencies in OCR’s administration and oversight of compliance with the HIPAA Privacy Rules, as well as the need to strengthen its follow-up of reported breaches. While these two reports specifically highlighted covered entities, it is important to reemphasize that business associates and subcontractors are still susceptible to the same regulations and penalties.

Here are some of the key areas of the reports:

OCR ‘s oversight is reactive versus proactive (98 percent of cases were initiated because of complaints);
Although the HITECH Act required audits in February 2010, “OCR has not fully implemented an audit program to proactively assess covered entities’ compliance with the privacy standards;”
OCR has to develop an efficient case-tracking system;
“Although OCR documented corrective action for most of the closed large breach cases in which it made determinations of noncompliance, 23 percent of cases had incomplete documentation of corrective actions taken by covered entities;” and
OCR has to keep better records of small breaches.

What does this mean for physicians? First, it is likely that OCR is going to ramp up investigations and, subsequently fines. Second, more complete documentation means quicker response time. Third, since the size of the entity does not matter, the compliance requirements, including a comprehensive risk assessment, adequate policies, and procedures and encryption are going to be even more crucial. In other words, being proactive instead of reactive can keep the entity off of HHS’ Wall of Shame.

Related Content

The new kid on the block: The Federal Trade Commission and data sharing

March 9th 2023

Article

Two recent settlements underscore the FTC's status as an enforcement agency with the power to enforce consumers’ rights in relation to their sensitive information.

Certifying Your Communications Technology is Secure

July 5th 2021

Podcast

Physicians Practice® spoke with Michael Parisi, Vice President of assurance strategy and Community Development at high trust Alliance, about how physicians and practice owners can discern whether or not communications technology they are interested in integrating into their practice is certified secure.

10 Ways to protect your practice from a data breach

March 3rd 2023

Article

Healthcare records and data contain sensitive information, making them a prime target for cybercriminals. Learn how to protect your practice from a data breach.

Specialty telemedicine for independent practices

March 29th 2021

Podcast

Physicians Practice® spoke with Dr. Jonathan Wisen, Founder and Chief Medical Officer of MediOrbis, about specialty telemedicine for the treatment of chronic conditions and how these technologies can improve a practice's offerings and patient outcomes.

CMS proposes changes to the 60-day rule

January 26th 2023

Article

On March 23, 2010, the 60-Day Rule was enacted as Section 6402 of the Affordable Care Act.