Who watches the watchdogs to ensure they’re not sleeping on the job? The Office of Inspector General (OIG) of the Department of Health and Human Services has published a report of its review of the Office of Civil Rights’ HIPAA/HITECH Security Rule oversight efforts, and some of the findings are not pretty.
The report’s lengthy title says it all: “The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule.” The full report is available here.
The OIG report identifies three major deficiencies in OCR’s oversight efforts:
First, OCR failed to assess the risks, establish priorities, and implement controls for its HITECH requirement to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements. Accordingly, OIG notes that OCR had limited ability to verify whether covered entities were in compliance with the Security Rule.
Next, OCR’s Security Rule investigation files did not contain required documentation supporting key decisions because its staff did not consistently follow OCR investigation procedures by sufficiently reviewing investigation case documentation. OIG identified gaps in OCR’s controls over investigations which may have led to inconsistent practices in initiating, processing, and closing Security Rule investigations.
Perhaps most surprisingly, OIG noted that OCR had not fully complied with Federal cybersecurity requirements included in the National Institute of Standards and Technology (NIST) Risk Management Framework for its own information systems used to process and store investigation data. OIG indicated that failure to follow industry standard safeguards could expose OCR to vulnerabilities which could impair OCR’s ability to perform functions vital to its mission.
In response, OCR noted that no funds had been appropriated to allow the agency to maintain a permanent audit program. Continuing gridlock in Congress suggests that a timely solution to the funding shortfall is unlikely.
We reported on OCR’s prior audit efforts in July 2012. A Peek Behind the OCR Wall of Shame. Since then, it appears that funding for programs like the KPMG HIPAA Privacy and Security Audit Program may have run out. The period reviewed by the OIG in the recent report, July 2009 through May 2011, predated the KPMG audit, so it is not clear whether all the report’s conclusions remain accurate today. In any event, OCR is on notice that OIG (and possibly Congress) will expect them to step up their security auditing to the fullest extent financially feasible.