On November 21, 2013, the Department of Health and Human Services (“DHHS”) Office of the Inspector General (“OIG”) issued another scathing report about the DHHS oversight and enforcement of the HIPAA Security Rule (see my July 6, 2011, blog post, “Office of the Inspector General Slams HIPAA Oversight”). The HITECH Act, which appears to be a response to the earlier criticism of DHHS enforcement, required it to conduct audits of covered entities to ensure compliance with HIPAA.
In the November 2013 report, the OIG found that the Office for Civil Rights (“OCR”), which is responsible for investigating HIPAA complaints, was insufficient to ensure Security Rule compliance and that its files on breaches often lacked documentation to support enforcement decisions.
In response to the OIG report, OCR stated that it had planned for a permanent audit program based on an ongoing evaluation conducted of its pilot audit program, which audited 115 covered entities. OCR noted that, instead of broadly auditing covered entities and business associates with respect to compliance with the HIPAA Privacy, Security, and Breach Notification Rules, its future audits will likely focus on key areas of concern for OCR identified by new initiatives, enforcement concerns, and departmental priorities.
As if covered entities and now business associates didn’t have enough to worry about with the current level of enforcement, will this new report in which the OIG slams DHHS again raise the bar and make non-compliance much more problematical?