The Office of Inspector General (OIG) recently released two reports recommending that the Office of Civil Rights (OCR) strengthen (1) its oversight of covered entity compliance with HIPAA privacy standards, and (2) its follow-up of reported breaches of patient protected health information. OCR is tasked with the responsibility of overseeing and enforcing HIPAA.
With regard to OCR’s HIPAA privacy oversight, it was recommended that OCR:
Following an analysis of both large and small reported breaches from 2009-2011, the OIG recommended that OCR:
The OCR concurred in all recommendations made by OIG. Attached to the reports are the OCR comments to the recommendations and specific responsive actions. Most notably, OCR stated that in early 2016 it will launch Phase 2 of its audit program using a combination of “desk” reviews of policies and procedures and on-site audits. The audits will include HIPAA business associates.
These reports are part of a series of biannual reports analyzing the OCR’s oversight and enforcement activities. In May 2011, the OIG found that ePHI in hospitals was subject to significant vulnerabilities to unauthorized access, use and disclosure. The November 2013 report found that OCR failed to meet all Federal requirements in oversight and enforcement of the HIPAA Security Rule.