Dive Brief:
- The Department of Health and Human Services Office of Inspector General has released a report stating the Office for Civil Rights should strengthen its oversight of covered entities' compliance with HIPAA privacy standards to better prevent breaches of patient health information.
- Among its findings are OCR’s oversight is primarily reactive and investigating noncompliance in response to complaints.
- The report highlights OIG's concern OCR has not fully implemented a required audit program that would allow it to proactively assess potential noncompliance issues.
Dive Insight:
OIG's investigation finds evidence of compliance issues known by OCR along with a limit to OCR's management of those situations.
The report stated in about half of the privacy cases OCR investigated, the agency found covered entities were noncompliant with at least one privacy standard, requested corrective action for most of those cases, and documented corrective action for most of these cases.
However, OIG finds OCR did not fully document corrective actions in 26% of its closed privacy cases.
In addition, an OIG survey of Medicare Part B providers found 27% of providers failed to address all five selected privacy standards.
As a result of its findings, OIG recommended actions to OCR, including fully implementing an audit program; maintaining thorough documentation of corrective actions taken; and developing a method to efficiently search for and track covered entities.