Start Your FREE Membership NOW
 Discover Proven Ways to Be a Better Medical Office Manager
 Get Our Daily eNewsletter, MOMAlert, and MUCH MORE
 Absolutely NO Risk or Obligation on Your Part -- It's FREE!

Upgrade to Premium Membership NOW for Just $90!
Get 3 Months of Full Premium Membership Access
Includes Our Monthly Newsletter, Office Toolbox, Policy Center, and Archives
Plus, You Get FREE Webinars, and MUCH MORE!

Expect more concerted HIPAA enforcement due to OIG reports

The protection of individuals’ private health information isn’t being adequately enforced, according to the Health and Human Services Office of Inspector General (OIG).

The OIG issued two reports criticizing the Office for Civil Rights (OCR) for failing to proactively enforce privacy rules under the Health Insurance Portability and Accountability Act (HIPAA) and follow through fully on the enforcement action it does take.

In the first report, focused on privacy rule enforcement, the OIG reviewed enforcement cases from 2009-2011, and found that the OCR was more reactive than proactive in investigating noncompliance and failed to fully implement its required audit program.

While OCR requested corrective action in most cases of noncompliance with HIPAA privacy rules, the OIG said it failed to follow up on those corrective action requirements—lacking documentation of corrective actions in 26 percent of closed privacy cases. OCR staff also failed to check for prior history of noncompliance but even if they did, the OIG found that such review would be hampered by “limited search functionality” of its case-tracking system.

Therefore, the OIG called for full implementation of OCR’s audit program, improved documentation, and better case-tracking systems which staff should be required to check. It also recommended that OCR continue to expand outreach and education efforts to prevent noncompliance.

A second OIG Report criticized OCR for failing to adequately follow up on breaches of protected health information privacy.

The OIG reviewed a statistical sampling of breach cases (both large and small) and found that while corrective action was documented in most large-breach cases, there was incomplete documentation of corrective actions in 23 percent of cases.

Once again OCR staff were criticized for failure to check for prior history of noncompliance. While 61 percent of staff “at least sometimes” checked for prior reports of large breaches by a covered entity, 39 “rarely or never” checked and the case tracking system’s limited functionality was again blamed for failing to facilitate such searches.

Thus, the OIG recommended improvements to case-tracking systems that include tracking small-breach information, requiring staff check for prior breaches, and improved documentation of corrective action in breach notification cases. The OIG also again emphasized the need for the OCR to provide outreach and education to covered entities.

Editor’s picks:

Six HIPAA violations you may be missing

HIPAA audits looming and small practices far from compliant

Get ready for HIPAA breach before it happens









Try Premium Membership