Expect More Concerted HIPAA Enforcement Due to OIG Reports

The protection of individuals' private health information isn't being adequately enforced, according to the Health and Human Services Office of Inspector General (OIG). The OIG issued two reports criticizing the Office for Civil Rights (OCR) for failing to proactively enforce privacy rules under the Health Insurance Portability and Accountability Act (HIPAA) and follow through fully on the enforcement action it does take.

In the first report, focused on privacy rule enforcement, the OIG reviewed enforcement cases from 2009-2011, and found that the OCR was more reactive than proactive in investigating noncompliance and failed to fully implement its required audit program. While OCR requested corrective action in most cases of noncompliance with HIPAA privacy rules, the OIG said it failed to follow up on those corrective action requirements—lacking documentation of corrective actions in 26 percent of closed privacy cases. OCR staff also failed to check for prior history of noncompliance but even if they did, the OIG found that such review would be hampered by "limited search functionality" of its case-tracking system. Therefore, the OIG called for full implementation of OCR's audit program, improved documentation, and better case-tracking systems which staff should be required to check. It also recommended that OCR continue to expand outreach and education efforts to prevent noncompliance.

A second OIG Report criticized OCR for failing to adequately follow up on breaches of protected health information privacy. The OIG reviewed a statistical sampling of breach cases (both large and small) and found that while corrective action was documented in most large-breach cases, there was incomplete documentation of corrective actions in 23 percent of cases. Once again OCR staff were criticized for failure to check for prior history of noncompliance. While 61 percent of staff "at least sometimes" checked for prior reports of large breaches by a covered entity, 39 "rarely or never" checked and the case tracking system's limited functionality was again blamed for failing to facilitate such searches. Thus, the OIG recommended improvements to case-tracking systems that include tracking small-breach information, requiring staff check for prior breaches, and improved documentation of corrective action in breach notification cases. The OIG also again emphasized the need for the OCR to provide outreach and education to covered entities.

Takeaway: Laboratories and other covered entities may benefit from additional education and assistance from OCR but should also expect increased oversight and enforcement of HIPAA's privacy and breach notification rules.