Lax HIPAA Oversight OCR Data Breach Follow-Up

HHS’ Office for Civil Rights must improve its oversight of HIPAA-covered entities and its follow-up on reported data breaches, according to two HHS Office of Inspector General reports,FierceHealthIT reports.

HIPAA OCR Data Breach – Oversight Report

The first report was based on staff interviews and reviews of a sample of privacy cases that OCR had investigated between 2009 and 2011.

OIG found that OCR’s oversight of HIPAA-covered entities was “primarily reactive.” The report noted that OCR has failed to fully implement its proactive audit program to assess potential non-compliance among covered entities (Hall, FierceHealthIT, 9/30).

According to Politico‘s “Morning eHealth,” OCR was required under the HITECH Act to implement the program in 2010, but it did not roll out a pilot program until July 2015.

The report also found that when OCR required providers to take corrective actions to remedy poor privacy protections, those actions often were not followed up by documentation to confirm that they had occurred. The documentation was incomplete in about 26% of cases, according to the report (Tahir et al., “Morning eHealth,” Politico, 9/30).

OIG recommended that OCR:

  • Fully implement its proactive audit program; and
  • Maintain comprehensive documentation of providers’ corrective actions.

Data Breach Follow-Up Report

The second report was based on interviews with staff and OIG audits from September 2009 to March 2011 that reviewed a sample of breaches affecting at least 500 people, as well as smaller breaches.

According to the report, 23% of large HIPAA breaches lacked complete documentation of corrective actions. In addition, OCR failed to record smaller breaches in its case-tracking system (FierceHealthIT, 9/30).

As a result, OCR’s ability to track and identify entities with multiple small breaches was limited (“Morning eHealth,” Politico, 9/30).

The report also found that OCR’s tracking system has limited search capabilities. In addition, OIG found that OCR does not have a standard method for entering covered entities into the system, further limiting its search functions.

OIG recommended that OCR:

  • Improve outreach and education efforts for covered entities;
  • Keep full documentation of providers’ corrective actions;
  • Record small breaches in its case-tracking system or a connected searchable database; and
  • Require staff to check for prior breach incidents (FierceHealthIT, 9/30).
Fear Itself Speech 修改 文章 英文 click through the following web site | Advanced Trading Tools · Learn How to Trade opciones binarias demo click here now
Loan Canada go credit visit their website