HIPAA Security Rule Enforcement Not Yet Meeting Federal Requirements

A recent Office of the Inspector General (OIG) Report reviews progress made by the Office for Civil Rights (OCR) toward enforcement of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule following the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH) amendments. The OIG found OCR enforcement to be meeting Federal HIPAA requirements in some key areas, but to be wanting in others.

OCR enforcement activities meeting Federal requirements include, (1) making available guidance promoting compliance with the Security Rule; (2) the investigation process for responding to reported Security Rule violations; and (3) proper application of penalties for covered entities found in violation of the Security Rule.

Enforcement deficiencies cited by the OIG are, (1) no assessment of risks, established priorities, or implemented controls for mandatory periodic audits of covered entities’ Security Rule compliance; (2) insufficient controls to ensure OCR investigators follow investigation policies and procedures for properly initiating, processing, and closing Security Rule investigations; and (3) non-compliance with Federal cybersecurity requirements due to a focus on system operability at the expense of system and data security. OCR comments to the Report acknowledge the shortfalls and cite insufficient funds as the main cause.

The Report can be accessed from the OIG website here.

Comments are closed.