OCR Should Strengthen Its Oversight of Covered Entities' Compliance With the HIPAA Privacy Standards

WHY WE DID THIS STUDY

Covered entities such as doctors, pharmacies, and health insurance companies that do not adequately safeguard patients' protected health information (PHI) could expose patients to an invasion of privacy, fraud, identity theft, and/or other harm. PHI includes identifying information like a patient's name, test results, medical condition, prescriptions, or treatment history. The Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) established standards for sharing, using, and disclosing individuals' PHI and charges the Office for Civil Rights (OCR) with enforcing covered entities' compliance with the HIPAA privacy standards.

HOW WE DID THIS STUDY

To assess OCR's oversight of covered entities' compliance with the Privacy Rule, we (1) reviewed a statistical sample of privacy cases that OCR investigated from September 2009 through March 2011; (2) surveyed OCR staff; and (3) interviewed OCR officials. We also reviewed OCR's investigation policies. We surveyed a statistical sample of Medicare Part B providers and reviewed documents that they provided to determine the extent to which they addressed five selected privacy standards.

WHAT WE FOUND

OCR should strengthen its oversight of covered entities' compliance with the Privacy Rule. OCR's oversight is primarily reactive; it investigates possible noncompliance primarily in response to complaints. OCR has not fully implemented the required audit program to proactively assess possible noncompliance from covered entities. In about half of the closed privacy cases, OCR determined that covered entities were noncompliant with at least one privacy standard. In most cases in which OCR made determinations of noncompliance, it requested corrective action from the covered entities. OCR documented corrective action in its case-tracking system for most of these cases; however, OCR did not have complete documentation of corrective actions taken by the covered entities in 26 percent of closed privacy cases. Although 71 percent of OCR staff at least sometimes checked whether covered entities had been previously investigated, some rarely or never did so. If OCR staff wanted to check, they may face challenges because its case-tracking system has limited search functionality and OCR does not have a standard way to enter covered entities' names in the system. Finally, from our review of responses to our survey of Medicare Part B providers and documents that they provided, most providers addressed all five selected privacy standards, but 27 percent did not. These Part B providers may not be adequately safeguarding PHI.

WHAT WE RECOMMEND

OCR should (1) fully implement a permanent audit program; (2) maintain complete documentation of corrective action; (3) develop an efficient method in its case-tracking system to search for and track covered entities; (4) develop a policy requiring OCR staff to check whether covered entities have been previously investigated; and (5) continue to expand outreach and education efforts to covered entities. OCR concurred with all five recommendations and described its activities to address them.