Dive Brief:
- The Office for Civil Rights (OCR), the federal agency responsible for enforcing HIPAA's privacy provisions, is not fully enforcing those requirements, according to a report by the HHS Office of the Inspector General.
- According to the report, OCR has not done required audits of covered entities to see how they handle patient information, and hasn't documented key decisions.
- The report also slams the OCR for failing to completing privacy impact assessments, risk analyses or system security plans for two of the three systems used to oversee the Security Rule.
Dive Insight:
HIPAA privacy isn't worth much if the agency supervising providers isn't on the ball. According to the OIG, OCR will need to set a great many routines and controls in place if it is to do an adequate job , including setting priorities for auditing requirements and implementing controls to ensure policies and procedures for the Security Rule are followed. But OCR, in its response, that no funds are appropriated for a permanent audit program, which could certainly could put a spike in its efforts. It sounds like it's time for HHS to pony up.