Recent OIG reports signal an upcoming increase in OCR activity and oversight of HIPAA covered entities, even in the absence of a breach.
On September 29th, the Office of Inspector General (OIG) in the U.S. Department of Health and Human Services (HHS) released two reports which reviewed the successes and shortcoming in the Office for Civil Rights’ (OCR) oversight of Health Insurance Portability and Accountability Act (HIPAA) compliance for covered entities. OCR is responsible for overseeing covered entities’ compliance with the HIPAA standards, which include the Breach Notification Rule, the Privacy Rule and the Security Rule. In one report, the OIG provided conclusions and recommendations from their study on covered entities’ compliance with the HIPAA Privacy Rule, while in the other report, the OIG provided conclusions and recommendations from their investigation of OCR’s follow-up on breaches of patient health information which are reported to OCR. In both studies, the OIG reached some similar conclusions. The guidance provided by these reports should be recognized by providers for what it is: harbingers of OCR’s likely future enforcement activity.
One of the key findings by the OIG likely to have a direct impact on providers, is that OCR will now proactively audit covered entities to monitor compliance with the Privacy Rule, as opposed to its traditional approach of initiating investigations as a result of complaints or breach reports. The fact that OCR has not been proactively auditing covered entities allows for some level of comfort for covered entities, as there is not a great concern that OCR will conduct an investigation of a covered entity unless a potential breach or violation were reported. It is likely that this will be changing in the very near future, as the OIG has recommended that OCR improve its oversight of covered entities and take a proactive stance, by instituting a permanent audit program, as opposed to OCR’s current reactive posture. In addition, the OIG recommended improving the tracking system which OCR uses to keep records about investigations of covered entities. Such improvements in record-keeping and tracking investigations could mean that OCR will be more likely to impose penalties, as it will more easily be able to determine when covered entities are the subject of multiple investigations.
Regarding the follow-up of breaches, the OIG made some similar recommendations concerning the need for OCR to improve its tracking system. The OIG recommended that OCR more uniformly enter information about breaches, whether large or small, into a searchable database. At present, OCR has largely focused on thoroughly investigating large breaches (e.g. breaches of 500 or more affected individuals) that are reported to it. However, the OIG has now recommended that OCR also track and follow-up on small breaches that are reported to it. This could have a significant impact on providers who may experience several small breaches, as it will be more likely that OCR will now closely track and examine covered entities that experience several small breaches. In addition, the OIG recommended that OCR maintain more complete documentation in its database of corrective actions taken by covered entities that experience a breach. Currently, because OCR does not keep thorough records of corrective actions, covered entities may be able to get away with implementing few changes if they experience a breach. Once OCR implements these recommendations to better document corrective actions taken by covered entities, it will place greater scrutiny on these corrective actions that covered entities take to ensure that the covered entities carry out the necessary changes and prevent the occurrence of a similar breach in the future.
It is extremely important for providers to understand how to comply with HIPAA, as well as what to do if they experience a breach. These reports serve to emphasize the importance of compliance and the ways in which OCR will begin to more actively investigate HIPAA compliance. Frier Levitt has a great deal of experience in this area, and can help you and your practice to comply with the many HIPAA requirements. Contact us today to speak to an attorney.