OCR did not Fulfill all Federal Requirements in its Oversight and Enforcement of the HIPAA Security Rule.

The Department of Health and Human Services Office of Inspector General (OIG) recently reported that the Office for Civil Rights (OCR) did not fulfill all federal requirements in the oversight and enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.  The OIG examined OCR’s Security Rule oversight and enforcement for the period from July 2009 through May 2011, in addition to OCR’s computer systems as of May 2011.

The OIG made the following recommendations to which  OCR generally concurred:

• Examine risks, establish priorities, and implement controls for the Health Information Technology for Economic and Clinical Health Act auditing requirements.
• Conduct periodic audits of covered entities.
• Establish sufficient controls for investigations, such as supervisory review and documentation retention.
• Apply the National Institute of Standards and Technology Risk Management Framework for systems used to oversee and enforce the Security Rule.

The OIG report on OCR’s oversight activities is available at:

https://oig.hhs.gov/oas/reports/region4/41105025.pdf

Department of Health and Human Services Office of Inspector General. “The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule.” 4 Dec. 2013