OIG: OCR failed to meet federal requirements in HIPAA oversight

The Office of Civil Rights (OCR) failed to meet several federal requirements necessary to the oversight and enforcement of the HIPAA security rule, according to a recent report from the Department of Health and Human Services Office of Inspector General (OIG).

While the OCR met some oversight and enforcement requirements, OIG determined that the OCR failed to assess risks, establish priorities or implement controls for its federal requirements to provide for periodic audits of covered entities to ensure their compliance. Also:

  • The agency’s investigation files did include necessary documentation supporting key decisions made because management had not implemented sufficient controls, including supervisory review and documentation retention, to ensure investigators follow policies and procedures for properly initiating, processing and closing investigations
  • OCR had not fully complied with federal cybersecurity requirements for its information systems used to process and store investigation data

The OIG offered several recommendations for OCR, including that it:

  • assess the risks, establish priorities and implement controls for its HITECH auditing requirements;
  • provide for periodic audits in accordance with HITECH to ensure security rule compliance at covered entities;
  • implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for investigations are followed; and
  • implement the National Institute of Standards and Technology Risk Management Framework for systems used to oversee and enforce the rule.

OCR generally agreed with the OIG’s recommendations in comments on the draft report, according to the publication. In one comment, OCR wrote that it had contracted for the development of its audit mandate options, had developed an audit protocol, had conducted pilot audits of covered entities and was evaluating the results of its pilot audit program. But the agency explained that no funds had been appropriated for it to maintain a permanent audit program and that funds used to support prior audit activities were no longer available.

“We remain concerned about OCR’s ability to comply with the HITECH audit requirement and the resulting limited assurance that electronic protected health information is secure at covered entities because of OCR’s comment regarding limited funding resources for its audit mandates,” according to the OIG.

Read the report here.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.