OCR Should Strengthen Its Followup of Breaches of Patient Health Information Reported by Covered Entities

WHY WE DID THIS STUDY

Recent news illustrates that a data breach can affect millions of individuals. Breaches of protected health information (PHI)-such as patients' names, test results, medical conditions, prescriptions, or treatment histories-could expose patients to privacy invasion, fraud, identity theft, and/or other harm. The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA), along with HIPAA's Privacy and Security Rules, established HIPAA standards that aim to safeguard PHI. The Breach Notification Rule requires that covered entities report breaches of unsecured PHI to the Office for Civil Rights (OCR). OCR's oversight of covered entities' compliance with the HIPAA standards is critical to help ensure that covered entities address the problems that led to breaches.

HOW WE DID THIS STUDY

To assess OCR's oversight of covered entities that reported breaches, we (1) reviewed a statistical sample of large breaches (i.e., breaches affecting 500 or more individuals) and small breaches (i.e., breaches affecting fewer than 500 individuals) that covered entities reported to OCR from September 2009 through March 2011; (2) surveyed OCR staff; and (3) interviewed OCR officials. We also reviewed OCR's investigation policies. We surveyed a statistical sample of Medicare Part B providers and reviewed documents that they provided to determine the extent to which they addressed three selected breach administrative standards.

WHAT WE FOUND

OCR should strengthen its followup of breaches of PHI reported by covered entities. OCR investigated the large breaches, as required, and in almost all of the closed large-breach cases, it determined that covered entities were noncompliant with at least one HIPAA standard. Although OCR documented corrective action for most of the closed large-breach cases in which it made determinations of noncompliance, 23 percent of cases had incomplete documentation of corrective actions taken by covered entities. OCR also did not record small-breach information in its case tracking system, which limits its ability to track and identify covered entities with multiple small breaches. Although 61 percent of OCR staff checked at least sometimes as to whether covered entities had reported prior large breaches, 39 percent rarely or never did so. If OCR staff wanted to check, they may face challenges because its case tracking system has limited search functionality and OCR does not have a standard way to enter covered entities' names in the system. Finally, from our review of the documents that Medicare Part B providers submitted, most addressed all three selected breach administrative standards but 27 percent did not. These providers may not be adequately safeguarding PHI.

WHAT WE RECOMMEND

OCR should (1) enter small-breach information into its case-tracking system or a searchable database linked to it; (2) maintain complete documentation of corrective action; (3) develop an efficient method in its case-tracking system to search for and track covered entities that reported prior breaches; (4) develop a policy requiring OCR staff to check whether covered entities reported prior breaches; and (5) continue to expand outreach and education efforts to covered entities. OCR concurred with all five recommendations and described its activities to address them.