The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule

The Office for Civil Rights (OCR) did not meet certain Federal requirements critical to the oversight and enforcement of the Health Insurance Portability and Accountability Act Security Rule (Security Rule). OCR had not assessed risks, established priorities, or implemented controls for its Federal requirements to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements. In addition, OCR's Security Rule investigation files did not contain required documentation supporting key decisions made because management had not implemented sufficient controls, including supervisory review and documentation retention, to ensure investigators follow investigation policies and procedures for properly initiating, processing, and closing Security Rule investigations. Further, OCR had not fully complied with Federal cybersecurity requirements for its information systems used to process and store investigation data because it focused on system operability to the detriment of system and data security.

We recommended that OCR (1) assess the risks, establish priorities, and implement controls for its HITECH auditing requirements; (2) provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities; (3) implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for Security Rule investigations are followed; and (4) implement the National Institute of Standards and Technology Risk Management Framework for systems used to oversee and enforce the Security Rule. In its comments on our draft report, OCR generally concurred with our recommendations and described the actions it has taken to address them. In specific comments on our second recommendation, however, OCR explained that no funds had been appropriated for it to maintain a permanent audit program and that funds used to support audit activities previously conducted were no longer available.