Who watches the watchdogs to ensure they’re not sleeping on the job? The Office of Inspector General (OIG) of the Department of Health and Human Services has published a report of its review of the Office of Civil Rights’ HIPAA/HITECH Security Rule oversight efforts, and some of the findings are not pretty.

The report’s lengthy title says it all:  “The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule.”  The full report is available here.

The OIG report identifies three major deficiencies in OCR’s oversight efforts:

First, OCR failed to assess the risks, establish priorities, and implement controls for its HITECH requirement to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements. Accordingly, OIG notes that OCR had limited ability to verify whether covered entities were in compliance with the Security Rule.

Next, OCR’s Security Rule investigation files did not contain required documentation supporting key decisions because its staff did not consistently follow OCR investigation procedures by sufficiently reviewing investigation case documentation. OIG identified gaps in OCR’s controls over investigations which may have led to inconsistent practices in initiating, processing, and closing Security Rule investigations.

Perhaps most surprisingly, OIG noted that OCR had not fully complied with Federal cybersecurity requirements included in the National Institute of Standards and Technology (NIST) Risk Management Framework for its own information systems used to process and store investigation data.  OIG indicated that failure to follow industry standard safeguards could expose OCR to vulnerabilities which could impair OCR’s ability to perform functions vital to its mission.

In response, OCR noted that no funds had been appropriated to allow the agency to maintain a permanent audit program.  Continuing gridlock in Congress suggests that a timely solution to the funding shortfall is unlikely.

We reported on OCR’s prior audit efforts in July 2012. A Peek Behind the OCR Wall of Shame.  Since then, it appears that funding for programs like the KPMG HIPAA Privacy and Security Audit Program may have run out. The period reviewed by the OIG in the recent report, July 2009 through May 2011, predated the KPMG audit, so it is not clear whether all the report’s conclusions remain accurate today.  In any event, OCR is on notice that OIG (and possibly Congress) will expect them to step up their security auditing to the fullest extent financially feasible.

CMS should improve its oversight of its electronic health record incentive program, according to a report by the Office of Inspector General released this month.   The government watchdog agency faults CMS for both inadequate prepayment safeguards and insufficient postpayment monitoring of recipients of federal funding intended to help cover the costs of adoption and implementation of EHR.

As this blog noted earlier this month, some concerns have been raised in a Congressional hearing about how the approximately $7.7 billion in taxpayer funds have been spent to date under the HITECH Act’s incentive program.  In its report, the OIG recommended that CMS:

Obtain and review supporting documentation from selected professionals and hospitals prior to payment to verify the accuracy of their self-reported information;

Issue guidance with specific examples of documentation that professionals and hospitals should maintain to support their compliance; and

Conduct prepayment reviews to improve program oversight.

OIG reported resistance from CMS regarding its recommendation to implement prepayment reviews, which CMS believes would increase the burden on practitioners and hospitals and could delay incentive payments. CMS agreed to take steps to improve program oversight. CMS’s response appears as an exhibit to the OIG report at page 30.

Next, the OIG turned to the Office of the National Coordinator for Health Information Technology (ONC), the government agency that establishes EHR standards and certifies EHR technology. OIG recommended that the ONC:

Require that certified EHR technology be capable of producing reports for yes/no meaningful use measures where possible; and

Improve the certification process for EHR technology to ensure accurate EHR reports.

ONC concurred with both recommendations, as noted in the letter from Dr. Farhad Mostashari appearing at page 32.

The report noted that CMS currently conducts prepayment validation of professionals’ and hospitals’ self-reported meaningful use information to ensure that it meets program requirements, mostly by checking the math in the reports and verifying EHR certification codes.   OIG also noted that CMS plans to audit selected professionals and hospitals after payment using a similar method to select audit targets based on inconsistencies in their reported data. At the time of the OIG review, CMS had not yet completed any postpayment audits.

Among OIG’s findings were:

  • CMS’s prepayment validation functions correctly but does not verify the accuracy of self-reported information.
  • Sufficient data are not available to verify self-reported information through automated system edits.
  • CMS does not collect supporting documentation to verify self-reported information prior to payment.
  • CMS’s planned postpayment audits may not conclusively verify the accuracy of professionals’ and hospitals’ self-reported meaningful use information.
  • Reports from certified EHR technology are not sufficient for CMS to verify self-reported information and may not always be accurate.
  • CMS may not be able to obtain sufficient supporting documentation to verify self-reported information during audits.

Given budgetary pressure and ongoing Congressional oversight, it is likely that CMS and ONC will be looking more closely at how HITECH incentive funds are being applied in the coming year.

A thoughtful reader commented on the recent blog post in this series that asked whether the 2012 Breach of Massachusetts Eye and Ear Infirmary (“MEEI”) should have by now been reflected in a third posting respecting MEEI on the HHS List. (Capitalized terms not otherwise defined herein shall have the meanings assigned to them in the earlier blog post.) 

The reader’s comments included the following:


I have been wondering—and this article [the blog post] continues to make me wonder—whether covered entities will be less likely to “err on the side of caution” in making breach reports, now that they see the potentially draconian consequences of making such a report. I think it’s pretty clear (and I think OCR [the Office of Civil Rights] has even said publicly) that large breach reports will trigger investigations and, as we have seen, investigations are likely to open to scrutiny all aspects of the covered entity’s HIPAA policies, practices and procedures. Seeing million dollar resolution agreements may give covered entities pause about blowing the whistle on themselves, particularly where there is room to argue whether the disclosure creates a significant risk of harm. . . .


The reader’s comments point out the importance of evaluating the risk of harm by any covered entity that experiences a PHI security breach, even if it appears not to rise to the level of a potential List Breach. I concur with the reader that more attention may be given by a covered entity in the future to make a risk analysis of the probable harm of a potential List Breach. One of the purposes will be to determine the number of involved individuals and whether the entity can reasonably conclude that a List Breach has not occurred, and, therefore, there may be no need for a List Breach report to HHS. 


The covered entity may so conclude even if it publicizes the PHI security breach, notifies “potentially affected individuals,” posts information about the breach on its Web site, engages in some “voluntary” remedial action for such potentially affected individuals, disciplines involved employees and makes improvements to its policies and procedures. Repeat marchers in the Breach Parade may be especially motivated to conclude that a List Breach has not occurred.


However, the stakes may be high for a covered entity to conclude that a List Breach has not occurred. The penalties that can flow from the potentially “draconian consequences of making such a report” to HHS can be greatly amplified if the conclusion not to report the security breach as a List Breach turns out to be erroneous. The failure to report a List Breach is a separate violation and can give rise to significant penalties. Moreover, the covered entity must consider that most states have adopted their own requirements to make timely reports to state regulators about a PHI security breach, often with different standards for reporting, and state Attorneys General can seek to enforce a failure to make a mandatory report under both state law and HIPAA.


To some observers, elements of the risk analysis of a covered entity for reporting a possible List Breach may be somewhat analogous to the considerations that exist for self-reporting by healthcare providers of potential false claims to the HHS Office of Inspector General under its voluntary disclosure program. The important difference is that voluntary disclosure is optional; reporting a PHI security breach that is a List Breach to HHS is mandatory, with potential materially adverse consequences for failure to comply.