OIG Issues Report on HIPAA Breaches and Oversight

October 22, 2015

When it comes to HIPAA breaches, entity size does not matter. What matters is the Office for Civil Rights (OCR)’s oversight and compliance.

A couple of weeks ago, the Department of Health and Human Services (HHS) Office of the Inspector General (OIG) released dual reports - OCR Should Strengthen Its Oversight of Covered Entities’ Compliance With The HIPAA Privacyand OCR Should Strengthen Its Follow-up Of Breaches Of Patient Health Information Reported By Covered Entities. I plan on addressing some of the highlights of the reports and then will have tips for physicians, regardless of the size of the practice.

As the titles of the two aforementioned reports suggest, the OIG found deficiencies in OCR’s administration and oversight of compliance with the HIPAA Privacy Rules, as well as the need to strengthen its follow-up of reported breaches. While these two reports specifically highlighted covered entities, it is important to reemphasize that business associates and subcontractors are still susceptible to the same regulations and penalties.

Here are some of the key areas of the reports:

  • OCR ‘s oversight is reactive versus proactive (98 percent of cases were initiated because of complaints);
  • Although the HITECH Act required audits in February 2010, “OCR has not fully implemented an audit program to proactively assess covered entities’ compliance with the privacy standards;”
  • OCR has to develop an efficient case-tracking system;
  • “Although OCR documented corrective action for most of the closed large breach cases in which it made determinations of noncompliance, 23 percent of cases had incomplete documentation of corrective actions taken by covered entities;” and
  • OCR has to keep better records of small breaches.

What does this mean for physicians? First, it is likely that OCR is going to ramp up investigations and, subsequently fines. Second, more complete documentation means quicker response time. Third, since the size of the entity does not matter, the compliance requirements, including a comprehensive risk assessment, adequate policies, and procedures and encryption are going to be even more crucial. In other words, being proactive instead of reactive can keep the entity off of HHS’ Wall of Shame.