From: Health Data Management
HHS/OCR has conducted pilot audits and was expected in 2013 to significantly expand the program. The agency, however, told OIG that no funds have been appropriated to maintain a permanent audit program. “We remain concerned about OCR’s ability to comply with the HITECH audit requirement and the resulting limited assurance that ePHI is secure at covered entities because of OCR’s comment regarding limited funding for its audit mandates,” OIG replied in the report.
OIG further questioned OCR’s handling of investigation into violations of the HIPAA security rule. “Although OCR established an investigation process for responding to reported violations of the security rule, its security rule investigation files did not contain required documentation supporting key decisions because its staff did not consistently follow OCR investigation procedures by sufficiently reviewing investigation case documentation,” according to the report. “OCR had not implemented sufficient controls, including supervisory review and documentation retention, to ensure investigators follow investigation policies and procedures for properly initiating, processing and closing Security Rule investigations.”
Neither has OCR complied with federal cybersecurity regulations, specifically the NIST Risk Management Framework, to protect its own information systems that process and store investigation data, “because it focused on system operability to the detriment of system and data security,” the HHS Office of Inspector General concluded. “For example, OCR did not obtain HHS authorization to operate the three systems used to oversee and enforce the security rule. In addition, it did not complete privacy impact assessments, risk analyses or system security plans for two of the three systems. Exploitation of system vulnerabilities, normally identified through the Risk Management process, could impair OCR’s ability to perform functions vital to its mission.”
OIG offered a number of recommendations to increase security of the information systems and provide for periodic HIPAA audits of covered entities, and OCR “generally” agreed with the recommendations and described actions to address them.
“The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule,” is available here