Recently, the Office of Inspector General (OIG) at HHS released a report on the HIPAA enforcement efforts of HHS’s Office for Civil Rights (OCR). Specifically, the OIG looked at whether OCR’s efforts to enforce HIPAA’s Security Rule were adequate. The OIG’s findings may lead to increased enforcement efforts by OCR.
Background on the Security Rule
The HIPAA Security Rule requires covered entities and business associates to protect the integrity and confidentiality of protected health information (PHI). While the Privacy Rule governs how entities use and disclose this information, the Security Rule requires these entities to maintain the information subject to certain standards. These standards include administrative, physical, and technical safeguards.
- Administrative safeguards refer to policies and procedures in place to ensure workforce compliance with the Rule (e.g., training, evaluation, proper processes, and personnel).
- Physical safeguards refer to measures to limit physical access to PHI by unauthorized personnel (e.g., controlled access and workstation security).
- Technical safeguards refer to technical measures that protect the security of electronic PHI (e.g., encryption).
While covered entities have always been subject to the Security Rule, the HITECH Act of 2009 and the omnibus final privacy rule implementing the Act, made business associates also subject to its requirements.
The OIG Report analyzed whether OCR’s current Security Rule enforcement efforts are adequate.
Section 13411 the HITECH Act directs OCR to conduct periodic audits to ensure that covered entities and business associates are in compliance with the Security Rule. However, the OIG found that OCR had not successfully implemented this requirement. Rather, than conducting periodic audits, OCR conducted investigations primarily in response to reported violations. As a result, wrote the OIG, OCR had “limited assurance” that entities were in compliance with the Security Rule and “missed opportunities” to encourage entities to strengthen their security efforts.
Furthermore, the OIG found that, although OCR had an investigation process for responding to reported Security Rule violations, OCR did not consistently follow its own procedures. Specifically, OIG found that 39 of 60 selected investigation records were missing necessary documents.
Implications for Covered Entities and Business Associates
It is likely that OCR will step up enforcement efforts in response to the OIG report. However, as the agency noted in its response to the report, it currently lacks funds to maintain a permanent audit program. Still, OCR notes that it is in the process of designing a proactive audit program that is likely to be more focused on key areas of concern.
Thus, medical device companies that are business associates should take steps to ensure they are in compliance with the Security Rule’s requirements in light of OCR’s likely future audit and enforcement activities.