OIG to Office for Civil Rights – Enforce Your Own Standards

Fri, Oct 2, 2015 --


HIPAA, EHR, EMR, Health Records, electronic health records, privacy, security, rules, OIG, OCR, HHS, compliance

The U.S. Department of Health and Human Services (HHS) Office of the Inspector General (OIG) wants the HHS’s Office for Civil Rights (OCR) to do a better job of enforcing its own standards, according to a report the OIG issued in September.

Report: OCR Fails to Protect Patients

The OIG’s report says that when covered entities (CEs) like health insurance companies, pharmacies and medical practices fail to safeguard patients’ protected health information (PHI), these breaches expose patients to risks of fraud, identity theft, invasion of privacy, and other harm. Those risks are not new; the OCR exists to protect patients from these perils. But according to the OIG, the OCR is falling short in its protective duties.

The Inspector General’s office says that OCR also failed to fully implement the required CE audit program that the HITECH Act mandated OCR start by 2010. Also, says the Inspector General’s office, when the Office for Civil Rights pursues a CE who hasn’t met privacy rule standards, the OCR often fails to follow up with documentation confirming that the CE made the required corrective actions. In fact, the OIG says that in 26 percent of closed privacy cases, OCR doesn’t have complete documentation that the CE completed all the required corrective actions.

Another problem unearthed by the Inspector General’s report reveals inefficiencies in the OCR’s data tracking system. If OCR staff wanted to check whether covered entities had been investigated previously, they’d have a hard time doing so because the OCR’s case-tracking system’s functionality is limited. The OCR doesn’t even enter CEs’ names into the system in a standardized manner.

Finally, when the Inspector General’s office surveyed Medicare Part B providers and reviewed documents the providers provided, the OIG discovered that 27 percent had not addressed all five privacy standards selected for review. “These Part B providers may not be adequately safeguarding PHI,” the OIG report warns.

OIG Recommends OCR Strengthen Investigation Processes

The OIG believes the Office of Civil Rights needs to improve its current investigative process, rectify its nonstandard method of entering covered entity names in its case tracking system, and follow up on all corrective actions to ensure that CEs have submitted the documentation as they were ordered by the OCR.

In summary, the Inspector General’s office recommended that OCR step up its game; instead of simply reacting to complaints, tips, and media reports, the OCR should actively search, identify, and go after CEs noncompliant with the HIPAA Privacy Rule. OCR’s pilot proactive program, required by HITECH to start in February 2010, just began in July.

You can read the full OIG report here.

When OCR Starts New Audits, Watch Out, Say Experts

Legal experts warn that now that OCR’s proactive audit program has begun, it could spell serious consequences for noncompliant providers and CEs. A $2 million budget increase for OCR in fiscal year 2015 enables OCR to expand its investigations, audits, and enforcement actions, attorneys said.

SuperCoder Can Help Your Practice Stay Compliant With HIPAA

Now that the OCR has started its audit program, are you wondering if your practice complies with the HIPAA Privacy Rule? You need The Coding Institute/SuperCoder HIPAA Handbook. Packed with practical advice for safeguarding against HIPAA penalties, this handbook can help you perform a risk analysis for your practice so you know what steps to take to keep your practice compliant. Check it out!


Susan taught health information and healthcare documentation at the community college level for more than 20 years. She has a special love for medical language and terminology. She is passionate about ensuring accurate patient healthcare documentation through education. She has a master's degree in healthcare administration, is a certified healthcare documentation specialist, and serves as immediate past president for the Association for Healthcare Documentation Integrity (AHDI).

, , , , , , , , , , , ,

Leave a Reply