OIG: OCR Needs to Improve ComplianceHIPAA Enforcement Agency Says It's Addressing Issues
A new report from a government watchdog says the Department of Health and Human Services' Office for Civil Rights - which enforces HIPAA - failed to comply with various federal cybersecurity requirements.
But an OCR spokeswoman tells Information Security Media Group: "The report found certain administrative and information system documentation deficiencies, all of which were corrected prior to the final report's publication."
The report issued by HHS' Office of Inspector General states that its review showed OCR did not fully comply with the Federal Information Security Management Act, or FISMA, which sets requirements for government agencies.
But the OIG concedes that much of its analysis was based on information collected between July 2009 and May 2011.
"OCR had not fully complied with federal cybersecurity requirements included in the National Institute of Standards and Technology Risk Management Framework for its information systems used to process and store [HIPAA compliance] investigation data because it focused on system operability to the detriment of system and data security," the report states.
OCR did not obtain HHS authorizations to operate the three systems used to oversee and enforce the HIPAA Security Rule, according to the report. In addition, OCR did "not complete privacy impact assessments, risk analyses or system security plans for two of the three systems," the report states.
As a result, "exploitation of system vulnerabilities, normally identified through the risk management process, could impair OCR's ability to perform functions vital to its mission," according to the report.
In a response letter, OCR Director Leon Rodriguez states that the agency is addressing all issues and recommendations cited in the review.
Security consultant Mac McMillan, CEO of consulting firm CynergisTek and a former security director in the Department of Defense, says the failure to comply with FISMA requirements, "is probably more common than it should be" among federal agencies that do not deal with classified data.
"The real question here," McMillan says, "is where was HHS, meaning the department's chief information security officer, who should be making sure that its [units] are following the right procedures for accrediting its systems? This makes HHS look ... bad, even worse, when coupled with the security issues on HealthCare.gov and its previous failure in security enforcement with the Centers for Medicare and Medicaid Services," says McMillan, referring to the reports that the federal health insurance exchange website did not undergo end-to-end security testing before launching for open enrollment on Oct. 1 (see: HealthCare.gov: How Secure Is It Now?)
Other criticisms in the OIG report related to OCR's HIPAA Security Rule enforcement efforts, pointing to delays in launching a permanent compliance audit program, as mandated by the HITECH Act. OCR says it plans to launch such a program in fiscal 2014.
In the response by OCR included in the report, Rodriguez noted that OCR had conducted a pilot HIPAA compliance audit program that included evaluating 115 covered entities in 2012. An analysis of that program will be used to develop a permanent audit program, he added.
The report notes, "OCR stated that it had contracted for the development of its audit mandate options, had developed an audit protocol, had conducted pilot audits of covered entities, and was evaluating the results of its pilot audit program. However, OCR explained that no funds had been appropriated for it to maintain a permanent audit program and that funds used to support audit activities previously conducted were no longer available."
Rodriguez has stated in presentations this year, however, that OCR hoped to "bank" HIPAA non-compliance penalties collected to fund future enforcement programs, including a permanent HIPAA compliance audit program slated to launch in fiscal 2014 (see: HIPAA Audits: More to Come in 2014).
When asked if OCR was still counting on funding a permanent HIPAA security audit program through its HIPAA non-compliance penalties, the OCR spokeswoman told Information Security Media Group, "Even without an appropriation, OCR is committed to maintaining a permanent audit program. We are currently evaluating our recent audit pilot experience and incorporating those lessons into the design of that permanent program and future activities."
Additionally, the OCR spokeswoman noted: "The major recommendation by the OIG was that OCR should implement an audit or audit-type function rather than rely solely on complaints as a means of assessing compliance with the HIPAA Security Rule. OCR is in total agreement with the recommendation of the OIG."
Lack of Documentation
Another OIG finding was that OCR had insufficient documentation of its HIPAA complaint investigations and compliance reviews.
Ironically, OCR looks for documentation, such as evidence of a HIPAA security risk analysis, from covered entities when the agency investigates HIPAA breaches and complaints.
The OIG finding is "worse than ironic in this case," McMillan says. "What OIG said was that OCR did not review adequately documentation during their investigations and did not retain the documentation necessary to back up their findings," he says.
McMillan points out, however, that the report's conclusions must be considered in light of the fact they're based on information OIG collected between July 2009 and May 2011.
"The information is dated, the observations are dated, and my guess is the conclusions, while possibly right then do not reflect reality now. The bottom line is to paint OCR with this brush without revalidating the findings in 2014 would be unfair."
The OIG report recommends, among other things, that OCR:
- Provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities;
- Implement sufficient controls, including supervisory review and documentation retention, to ensure policies and procedures for HIPAA Security Rule investigations are followed; and
- Implement the NIST Risk Management Framework for systems used to oversee and enforce the HIPAA Security Rule.
The report notes that OCR "generally concurred with [the] recommendations and described the actions it has taken to address them."