HHS Calls for Increased HIPAA Enforcement

In late September of this year, the U.S. Department of Health & Human Services Office of the Inspector General (OIG) released two studies that called for increased oversight and enforcement of HIPAA. More specifically, OIG called on the HHS Office for Civil Rights (OCR) to strengthen its efforts, in terms of both general HIPAA Privacy Standards enforcement and enforcement of security breach reporting requirements.


OIG commissions these two studies at a time when digital health information technology is on the rise. With the rise of this technology has come an increased risk for invasion of patient privacy, as well as increased exposure to identity theft and identity fraud for patients.


OCR responded in general agreement with OIG’s recommended improvements to the Office’s enforcement and investigation practices. Additionally, OCR stated that it intends to strengthen its enforcement activities, beginning with the launch of its phase 2 audits of compliance with the HIPAA Privacy, Security, and Breach Notification Standards in early 2016.


This call-to-action on the part of OIG and this statement by OCR both urge healthcare facilities and other covered entities to evaluate their current HIPAA compliance, restructuring their privacy, security, and breach notification practices if need be. According to OIG, OCR’s oversight as it stands currently is “primarily reactive,” meaning that not enough is done to prevent security breaches in the first place. Ideally, OCR would more proactively audit covered entities for potential noncompliance under the audit program outlined in the Health Information Technology for Economic and Clinical Health Act (HITECH).


Here are the five recommendations that OIG gives to OCR for improving its oversight:


(1) Fully implement a permanent audit program;


(2) Maintain complete documentation of corrective action;


(3) Develop an efficient method in its case-tracking system to search for and track covered entities;


(4) Develop a policy requiring OCR staff to check whether covered entities have been previously investigated;


(5) Continue to expand outreach and education efforts to covered entities.


OCR states that so far it has already addressed some of these recommendations, while others are in the process of being addressed.


In addition to these recommendations, OIG has stated that OCR is not adequately investigating or documenting the reports of data breaches, and has in turn outlined five recommendations for improving investigation and documentation efforts; these recommendations strongly mirror the five recommendations mentioned above.


Long story short, with the rise of digital health information storage, HIPAA enforcement and investigation is a higher priority now than ever before, and HHS is taking action.