OCR Lacks Insight Into HIPAA Security Rule Compliance
By Alaap B. Shah and Ali Lakhani
Alaap B. Shah (firstname.lastname@example.org) and Ali Lakhani (email@example.com) are attorneys in the Health Care and Life Sciences practice of Epstein Becker & Green, P.C., Washington. They provide extensive assistance to clients on issues of HIPAA compliance matters, among other health care issues.
As health care rapidly digitizes through adoption of electronic health records, mobile applications and the like, the risk of data breach is rising exponentially.
To effectively manage this risk, health care companies and their business associates must be vigilant by implementing and evaluating security controls in the form of administrative, physical and technical safeguards. Health care companies also have resources to assist them with managing risk.
Specifically, the federal agency for oversight of the Health Insurance Portability and Accountability Act (HIPAA)–the Department of Health and Human Services Office for Civil Rights (OCR)–is tasked with providing technical assistance to guide companies to achieve compliance with HIPAA security rules. Further, when companies fail to comply, OCR has stated that it takes its enforcement authority seriously and will work to obtain compliance where necessary.
The responsibility for the oversight and enforcement of the Security Rule was delegated to OCR by the Department of Health and Human Services (HHS) in 2009 under the Health Information Technology for Economic and Clinical (HITECH) Act. Nonetheless, anyone who reads the news is aware that data breaches within the health care sector are continuing to rise in number and frequency. As such, it is becoming increasingly clear that health care companies systemically lack adequate security safeguards to protect the sensitive data flowing within their organizations.
Additionally, it raises a concern regarding the effectiveness of OCR’s efforts to ensure compliance with the HIPAA Security Rule.
Although most of OCR’s cases have historically involved corrective action rather than monetary fines, OCR Director Leon Rodriguez has explained that “[o]n the one hand you do have to have assertive enforcement; you have to have credible enforcement, that really does play a critical role in obtaining compliance … [b]ut at the same time you have to set rules of the road that are understandable and consistent.”
That being said, although OCR’s enforcement activity has been on the rise in recent years, its enforcement history calls into question whether it has the ability to follow through on this aggressive agenda.
Lack of Insight Into Industry Security Compliance
According to a recently released report by the HHS Office of Inspector General (OIG), OCR’s compliance efforts reveal significant gaps in its oversight activities between 2009 and 2011. Specifically, the report states that OCR “hasn’t performed required audits of how corporations handle patient information and failed to guarantee the security of its own records.” As a result, OIG indicated that OCR’s periodic Security Rule compliance audits, which were made mandatory by HITECH, remain an outstanding objective (see previous article).
OCR responded to the OIG report explaining their performance, citing that “no funds [have] been appropriated … to maintain a permanent audit program.” Going forward, however, Rodriguez said he expects that OCR “will leverage more civil penalties” and that OCR will be permitted to use collected penalties to fund enforcement actions and “to maximize funding [for] our auditing and breach analysis” activities.
OCR has already committed $4.5 million from money it collected from prior enforcement actions. At this time, however, no additional details are available regarding the scope of expansion of the HIPAA audits expected in light of the reinvestment of collected penalties.
Interestingly, this is not to suggest OCR has not been active in promoting security compliance. For example, OIG indicated that OCR has provided guidance to covered entities to promote compliance and has established an investigation process for responding to reported violations.
Yet OCR’s report card, although somewhat changed, is not materially improved since the OIG’s 2011 report wherein a “need for greater OCR oversight and enforcement” was recommended. In light of these findings, it is likely that OCR will turn its focus to increasing its oversight activities in an effort to gain further insight into security rule compliance.
It is important to recognize that OCR’s enforcement activities have accelerated since the OIG’s 2011 report. OCR indicated that it had 5,447 complaints that were in some phase of investigation in December 2013, with 12,811 new complaints in 2013 (2,357 more than were received in 2012). In 2013, OCR required action by 3,467 covered entities pursuant to filed complaints, similar to the 3,383 required actions in 2012.
OCR Is Transforming Into OIG
As early as May 2012, Rodriquez indicated that the agency is headed toward the Office of Inspector General enforcement model. He has warned that “the same level of vigilance that providers have used to steer clear of OIG’s fraud enforcement now needs to be applied in the HIPAA environment.” Coupling these comments with the findings of the recent OIG report, it suggests that OCR will be taking its oversight and enforcement activities even more seriously moving forward (see previous article).
Based on reinvigoration of the HIPAA Audit Program and signals from OCR, it appears that 2014 will be the year of heightened OCR enforcement. According to federal regulators, the permanent HIPAA Audit Program is expected to begin early this year and that covered entities should identify and mitigate outstanding noncompliance.
Although Rodriguez has conceded that “the audits under this permanent program will be narrower in scope in comparison [to those] conducted during the pilot program,” the number of organizations that will be audited is expected to increase.
The 2014 Outlook
In light of OIG’s criticism of OCR falling short of its enforcement obligations, the health care industry should likely expect even more audits and enforcement in the future. However, OCR’s ability to follow through on this mandate is uncertain in light of recent departures of certain key OCR staff.
Additionally, there are also reports that Rodriguez will be stepping down from his post as director of OCR to assume a new position as the director of U.S. Citizenship and Immigration Services, which is housed in the Department of Homeland Security. Nevertheless, OCR and its leadership are expected to continue to further their efforts to obtain the necessary HIPAA Security Rule compliance in the health care sector.