Audit Finds Three Major Deficiencies In Oversight of Security Rule

The Office for Civil Rights (OCR) would be cited for several major deficiencies if it were conducting one of its Health Insurance Portability and Accountability Act security rule audits on itself, implied a report of a November audit conducted by the Health and Human Services Office of Inspector General (OIG). According to the report, OCR failed to assess risks, establish priorities, and implement controls to provide for periodic audits of covered entities; OCR’s files did not contain required documentation supporting key decisions; and OCR had not fully complied with federal cyber-security requirements included in the National Institute of Standards and Technology (NIST) Risk Management Framework for its own information systems used to process and store investigation data. The two main objectives of the audit were to determine if OCR met federal requirements for oversight and enforcement of the security rule and if OCR’s computer systems used to oversee and enforce the security rule met federal cybersecurity requirements. OCR failed on both objectives, which is a little disconcerting considering the concerns about protecting patient privacy from hackers and employee errors as we move into the next phases of implementing the Affordable Care Act. As more people use the Internet to sign up for medical insurance, the risk of some kind of breach increases while the effectiveness of OCR oversight appears to be lacking. The report was not all bad news. OCR did meet some of the federal requirements for oversight and enforcement of the security rule. For instance, OCR made guidance that promoted compliance with the security rule available to covered entities, and OCR established an investigation process for responding to reported violations of the security rule. OCR also followed federal regulations when imposing penalties for security rule violators. The report notes that the Health Information Technology for Economic and Clinical Health Act (HITECH) redelegated responsibility for oversight of the security rule to OCR and required OCR to begin conducting self-initiated audits to ensure providers were complying with the security rule. OCR did not provide for periodic audits as mandated by HITECH. Instead, OCR continued to work under a complaint-driven system. OCR also had not established controls that would allow it to comply with audit requirements. There were no risk assessments to determine which entities or systems for storing or processing electronic protected health information (ePHI) presented the greatest risk of exposure. Instead of assessing the risks, establishing priorities, and implementing controls for the redelegated security rule oversight and the HITECH requirements, OCR applied the resources and procedures it had been using for its responsibilities in civil rights and health privacy oversight and enforcement before the redelegation. In other words, OCR did not change its mind-set to allow it to meet the new oversight responsibilities. OCR allocated its resources to manage an increasing number of investigations resulting from a variety of sources. As a result, OCR had limited information about the status of security rule compliance at covered entities, the report concluded. On the matter of insufficient records and documentation, the audit revealed that 39 of 60 selected records were missing required documents. According to the report, this occurred because OCR investigators did not consistently follow OCR’s policies and procedures for documenting case investigations and OCR management did not implement sufficient controls, such as supervisory reviews, to ensure that the investigators did so. Once again, OCR could not be certain, or could not document, that covered entities were complying with the security rule. Finally, the Federal Information Security Management Act of 2002 (FISMA) requires each federal agency to develop, document, and implement an agencywide program to provide information security for the information and information systems that support the operations and assets of the agency. Health and Human Services (HHS) requires its divisions to follow FISMA and other federal cybersecurity requirements. Specifically, HHS requires security authorizations, privacy impact assessments, risk analyses, and system security plans for its federal information systems. According to the audit, OCR’s computer systems did not fully comply with this requirement. OCR did not obtain HHS authorization to operate three systems, did not complete an assessment and risk analysis on all of its systems, and did not meet other federal security requirements for its systems as appropriate. Instead, management at OCR focused on operability of the systems rather than on security. OIG Recommendations In the audit report, the OIG made four specific recommendations, saying OCR should:

1. Assess the risks and establish priorities and controls to meet its HITECH auditing requirements;
2. Provide for periodic audits to ensure compliance with the security rule;
3. Implement controls to ensure proper documentation of investigations and compliance with the security rule; and
4. Implement the NIST framework.

In its response to the audit findings, OCR generally concurred with the findings and recommendations and described actions it had taken so far to meet them. However, in its comments concerning the audit report, OCR said funds had not been appropriated for a permanent audit program and the funds it used to conduct previous audits were no longer available. The OIG closed the report with the comment, “We remain concerned about OCR’s ability to comply with the HITECH audit requirement and the resulting limited assurance that ePHI is secure at covered entities because of OCR’s comment regarding limited funding resources for its audit mandates.” Takeaway: The OCR has not done a good job of overseeing the security rule or meeting its audit requirements. However, your laboratory is expected to be in compliance with the security rule whether or not OCR is conducting audits to verify compliance.