Tuesday, December 10, 2013

OIG Claims OCR Failed to Meet All Enforcement Requirements of HIPAA Security

By Dianne De La Mare

The US Department of Health and Human Services (HHS), Office of Inspector General (OIG), has released a report, The Office For Civil Rights Did Not Meet All Federal Requirements In Its Oversight and Enforcement Of The Health Insurance Portability And Accountability Act Security Rule, indicating that the HHS, Office of Civil Rights (OCR), did not meet all the federal requirements in its oversight and enforcement of the current federal security rule.  Although OCR met with some of the federal requirements; it did not meet with the “critical” requirements for the enforcement of the security rule which includes assessing the security risks and establishing priorities or implemented controls under the Health Information Technology for Economic and Clinical Health (HITECH) requirement (e.g., periodic audits of covered entities to ensure compliance with the security rule).  OCR investigation files did not contain the required documentation supporting key decisions, according to the OIG report.  The OCR staff did not consistently follow OCR investigation procedures by sufficiently reviewing investigation case documentation.  Further, OCR had not implemented sufficient controls, including supervisory review and documentation retention, to ensure investigators followed investigation policies and procedures for properly initiating, processing and closing security rule investigations.  The OIG report also found that OCR had not fully complied with federal cybersecurity requirements included in the National Institute of Standards and Technology (NIST) Risk Management Framework for its information systems used to process and store investigation data. The OIG recommends that OCR 1) assess the risks, establish priorities and implement controls for its HITECH auditing requirements; 2) provide for periodic audits in accordance with HITECH to ensure security rule compliance at covered entities; 3) implement sufficient controls, including supervisory review and documentation retention, to ensure policies and procedures for security rule investigations are followed; and 4) implement the NIST Risk Management Framework for systems used to oversee and enforce the Security Rule.  To obtain a copy of the entire report, click here.

No comments:

Post a Comment