Home 5 G2 Lab and Pathology Insider 5 archive 5 OIG Report Says OCR Needs to Improve Enforcement of HIPAA

OIG Report Says OCR Needs to Improve Enforcement of HIPAA

By Kelly A. Briganti, Editorial Director, G2 Intelligence The protection of individuals’ private health information isn’t being adequately enforced, according to the Health and Human Services Office of Inspector General (OIG). The OIG issued two reports criticizing the Office for Civil Rights (OCR) for failing to proactively enforce privacy rules under the Health Insurance Portability and Accountability Act (HIPAA) and follow through fully on the enforcement action it does take. In the first report, focused on privacy rule enforcement, the OIG found that the OCR was more reactive than proactive in investigating noncompliance and failed to fully implement its required audit program. The OIG also said OCR failed to follow up on corrective action and wasn’t checking for prior history of noncompliance when investigating violations. The OIG found, however, that such review of prior history was also hampered by “limited search functionality” of its case-tracking system. Therefore, the OIG called for full implementation of OCR’s audit program, improved documentation, and better case-tracking systems which staff should be required to check. A second OIG Report criticized OCR for failing to adequately follow up on breaches of protected health information privacy, finding incomplete documentation of corrective actions in 23 percent of cases. […]

By Kelly A. Briganti, Editorial Director, G2 Intelligence

The protection of individuals’ private health information isn’t being adequately enforced, according to the Health and Human Services Office of Inspector General (OIG). The OIG issued two reports criticizing the Office for Civil Rights (OCR) for failing to proactively enforce privacy rules under the Health Insurance Portability and Accountability Act (HIPAA) and follow through fully on the enforcement action it does take.

In the first report, focused on privacy rule enforcement, the OIG found that the OCR was more reactive than proactive in investigating noncompliance and failed to fully implement its required audit program. The OIG also said OCR failed to follow up on corrective action and wasn’t checking for prior history of noncompliance when investigating violations. The OIG found, however, that such review of prior history was also hampered by “limited search functionality” of its case-tracking system. Therefore, the OIG called for full implementation of OCR’s audit program, improved documentation, and better case-tracking systems which staff should be required to check.

A second OIG Report criticized OCR for failing to adequately follow up on breaches of protected health information privacy, finding incomplete documentation of corrective actions in 23 percent of cases. The same failure to check prior history of noncompliance during investigations was cited in this report as well. Thus, the OIG recommended improvements to case-tracking systems that include tracking small-breach information, requiring staff check for prior breaches, and improved documentation of corrective action in breach notification cases.