The Office of the Inspector General (“OIG”) of the Department of Health and Human Services recently released the review results from its assessment of the Office for Civil Rights (“OCR”) oversight of the HIPAA Compliance Rule. Not too surprisingly, the OIG found weaknesses in the way in which OCR oversees compliance with the HIPAA Privacy Rule.
From the 10,000 foot view, the OIG faulted OCR for being more reactive than proactive in determining compliance with the Privacy Rule. Instead of investigating and reviewing organizations before an issue arises, the OIG determined that OCR waits until a complaint is filed before doing any in-depths reviews. The OIG specifically identified the delayed audit program as a culprit in the inability to proactively assess compliance. The OIG also found that OCR did not fully document actions taken when a corrective action plan was put into place or otherwise fully track results. In addition to examining OCR’s activities, the OIG also surveyed a number of Medicare providers to assess the state of compliance with five selected privacy standards. While most providers complied with all of the selected privacy requirements, a fair number did not, which raises questions of how this could still be occurring.
Diving deeper into the OIG’s report, the goal was to (1) assess OCR’s oversight of compliance with the Privacy Rule by covered entities, and (2) determine to what extent providers addressed five selected privacy standards.
The review of OCR and its activities was conducted by reviewing a statistical sample of privacy cases, surveying OCR staff, and interviewing OCR officials. All 113 members of OCR staff who work on privacy cases were surveyed and OIG received a 100% response rate. OIG also interviewed a number OCR officials to gain a better understanding of how OCR operates and what it does to ensure HIPAA compliance.
As indicated initially, the OIG found that OCR has difficulty in proactively monitoring covered entity compliance with the HIPAA Privacy Rule or otherwise following up on those who got into trouble. Despite being required by the HITECH Act to put an audit program into place, OCR has yet to do so. While that statement is true today, more frequent announcements have been coming up the start date for that long-delayed audit program. As noted in previous posts, an outside vendor has ben retained to assist with the audit program, the new protocol is being established, and a start date is getting nearer. Accordingly, this portion of the OIG’s criticism will likely be addressed shortly.
A related issue was the handling of privacy cases by OCR. Not all privacy cases with documented issues resulted in a corrective action plan, nor were entities always reviewed for prior investigations. The confluence of these issues shows that OCR does not always fully follow through when investigating or vetting a covered entity identified as having a privacy compliance issue. Without fully investigating a covered entity or checking that covered entity’s background, it could be that repeat offenders are coming around, or the potential to resolve issues is slipping through the cracks. Paying more attention to repeat offenders could potentially reduce the number of violations, or at least put appropriate checks into place for covered entities that are not paying attention to their privacy obligations.
The OIG’s finding of inconsistent oversight by OCR aligned with its findings about covered entity compliance with selected privacy measures. OIG questioned covered entities on compliance with the following privacy standards: (i) establishing a sanctions policy for staff violations, (ii) training staff on HIPAA compliance, (iii) maintaining a notice of privacy practices, (iv) designated a privacy officer, and (v) providing a complaint process for individuals. Much like OCR’s pilot audits a few years ago, some responders were not compliant with the chosen elements. Lack of an established sanctions policy and lack of training were the clear frontrunners this time though. Overall, the results were encouraging because 73% were in fully compliance (at least with the five standards selected by the OIG).
What does the OIG’s report mean for covered entities (and business associates)? Get into compliance now. This message has been made repeatedly, but further action by OCR can be expected. No one likes to be criticized, and that is exactly what the OIG’s report is of OCR. The OIG clearly wants to see more done by OCR to ensure compliance with the HIPAA Privacy Rule. The soon to be started audits are one obvious tool, but others may also result now.
A period of enforcement and attention to compliance is well entrenched in healthcare at the moment. All of the numerous standards and requirements make it very difficult for entities to operate within the healthcare industry. However, despite these difficulties, entities must put a premium on compliance. To do otherwise will invite a fine or worse from the government. So, as the saying goes, do you want to pay now or later?