OIG Report Recommends Implementation of Permanent HIPAA Audit Program

The Office of Inspector General (OIG) for the Department of Health and Human Services (HHS) recently conducted a study to assess the Office of Civil Rights’ (OCR) oversight of compliance with the HIPAA Privacy Rule.

The OIG recommended that OCR strengthen its oversight by becoming proactive rather than reactive.  The OIG criticized OCR for not fully implementing its required HIPAA audit program.  Further, the OIG found that OCR was not consistent in documenting covered entities’ corrective actions in its tracking system.  In addition, the OIG found that OCR employees were not consistently checking when investigating possible noncompliance to determine whether the covered entity had been the subject of previous investigations.  The OIG cited the inefficiency of OCR’s case tracking system as a barrier for performing such checks.  The OIG further noted that it had surveyed Medicare Part B providers and concluded that 27% of the respondents were not addressing all five of the selected privacy standards.  The five selected HIPAA Privacy standards addressed in the survey were:  (1) established sanctions policy for all staff;  (2) provided all staff with HIPAA training on the covered entity’s HIPAA policies and procedures with respect to PHI;  (3) maintain a Notice of Privacy Practices;  (4) have a designated HIPAA privacy official;  and (5) provide a complaint process for individuals (patients).

Specifically the OIG recommended that the OCR (1) fully implement a permanent audit program;  (2) maintain complete documentation of corrective actions;  (3) develop an efficient method of searching for and tracking covered entities in its case-tracking system;  (4) develop a policy requiring OCR staff to check whether covered entities under investigation had been previously investigated;  and (5) continue to expand outreach and education efforts to covered entities.

The OCR concurred with all five recommendations and stated that it is moving forward with planning for its permanent HIPAA audit program.  Specifically, OCR stated that it will be launching Phase 2 of its audit program in early 2016, which will target both covered entities and business associates with regard to specific common areas of noncompliance.

What does this mean for providers?

It means that OCR is being pushed to implement the permanent HIPAA audit program and crack down especially on covered entities who have previously been investigated.  It also likely means that OCR will follow up more thoroughly with covered entities who previously agreed to implement corrective actions for HIPAA violations.


Our firm has prepared checklists for both HIPAA Privacy and HIPAA Security to assist health care providers with their compliance efforts.  These and links to other resources can be found on our firm’s HIPAA Resources page.  For providers with questions about their HIPAA policies or HIPAA in general, we are offering free 15 minute consultations which can be scheduled through the following link:  https://healthlaw.acuityscheduling.com/schedule.php

Speak Your Mind