How safe is your personal health information? Two studies by the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) point out perceived deficiencies in the way Americans’ health information is protected and secured under the Health Insurance Portability and Accountability Act (HIPAA). The reports, made public in October 2015, target the audit process and lay out plans to revamp the audit program in early 2016.
Protected health information (PHI) includes a patient’s name, age, gender, prognosis, and payment for treatment. This information, whether communicated orally, electronically, or in written form, when handled by health care providers, health plans, and any third party business associates, must be protected according to HIPAA regulations. The HIPAA Privacy and Security Rules and Breach Notification Rule aim to balance the need for disclosing information during medical care while protecting the personal identity of patients. The HHS Office of Civil Rights (OCR) handles the enforcement of HIPAA. There have been more than 125,445 complaints since the HIPAA Breach Notification Rule went into effect in September 2009 through the end of 2015 resulting in $27,974,400.00 worth of penalties.
The HHS Office of Inspector General looked at sample cases and breaches from September 2009 through March 2011 and reported several concerns about how the OCR operates:
- A permanent audit program is not in place
- The OCR is too reactive in its response to reported breaches
- OCR investigations are not fully documented, and corrective actions are missing in may cases
- Smaller breaches, concerning 500 patients or less, are not even documented by the OCR
- Prior breaches are rarely reported if at all
- The case-tracking system makes it nearly impossible to search for an entity’s past compliance. Making things even more difficult, the OIG found there is no standard way to enter names into the system
The OIG recommended “the OCR should:
- Fully implement a permanent audit program
- Maintain complete documentation of corrective action
- Develop an efficient method in its case tracking system to search for and track covered entities
- Develop a policy requiring OCR staff to check whether covered entities have been previously investigated
- Continue to expand outreach and education efforts to covered entities”
The agency will come out with a permanent HIPAA Phase 2 Audits program in early 2016 to replace what they see as a flawed audit process currently in place. When an improved case tracking system is set, OCR is to identify entities with multiple small breaches so proper enforcement can occur. Health information contains the most personal information about an individual. No matter how large or small, making any of this data public puts individuals at risk for fraud, theft, and confidentiality.
US Department of Health and Human Services (HHS) Office of Inspector General (OIG) is demanding changes to how the Office of Civil Rights oversees and enforces HIPAA Privacy and Security Rules. Beginning in early 2016, a new audit protocol will be put in place to track down entities with small (less than 500 individuals), past breaches for enforcement. The permanent Phase 2 Audits will also require documentation of any corrective actions after an issue is addressed. An improved tracking system will streamline how the OCR labels and cross-references entities.
CIPP Exam Preparation
In preparation for the Certification Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:
Regulatory Authorities – Department of Health and Human Services (I.A.d.iv.)
Health Insurance Portability and Accountability Act of 1996 (HIPAA) (II.B.a.i.ii.)