It's an ironic story. The Office for Civil Rights, the division of HHS responsible for investigating HIPAA privacy and security violations, is now facing scrutiny after its own security practices failed to meet federal requirements.
Not only did OCR fail to launch its official audit program mandated by HITECH and meant to further enforce the HIPAA security rule, but it also failed to perform risk analyses, privacy impact assessments and system security plans for two of its IT systems, concluded a recent OIG report.
[See also: Ready or not: HIPAA gets tougher today.]
The report, which assessed OCR's Security Rule oversight and enforcement from 2009 to 2011, also underscored concerning internal procedures including neglecting to properly document key enforcement decisions and failing to comply with the federal cybersecurity requirements set forth in the National Institute of Standards and Technology Risk Management Framework.
Specifically, OIG found 39 out of 60 selected records were missing one or more documents needed for security violation investigations.
"OCR Security Rule investigation records were missing documentation because OCR investigators did not consistently follow OCR’s policies and procedures for documenting case investigations and OCR management did not implement sufficient controls, such as supervisory reviews, to ensure that the investigators did so," the report stated.
Responding to report findings over OCR's audit program, the subagency pointed out it has conducted 115 pilot audits of covered entities since December 2011. However, funding limitations remain a significant barrier to launching and maintaining a permanent audit program.
[See also: Behemoth breach sounds alarm for 4M.]
"While OCR agrees with the recommendation that the HITECH audit program represents an effective tool, no monies have been appropriated for OCR to maintain a permanent audit program," commented officials.
Back in August, OCR Director Leon Rodriguez told Healthcare IT News a permanent audit program most likely wouldn't be implemented until 2014.
Shortcomings of OCR's IT systems were also highlighted in the report. Its compliance data system and breach notification system specifically were found to have security vulnerabilities.
"Exploitation of unaddressed system vulnerabilities normally identified through the risk management process, could impair OCR’s ability to perform functions vital to its mission," said OIG officials.
According to OCR comments, the subagency in response transitioned from the CDS to a program information management system in 2012 and has since made a "significant upgrade" to the PIMS.
Kevin Johnson, chief executive officer and principal security consultant at Secure Ideas, called the report findings "very typical" of what he sees with government and corporate clients. "It always surprises me, and probably shouldn't, that even though organizations have significant security requirements, these are often underfunded or misunderstood," Johnson said. "We see partial or badly planned system implementations that create an even worse situation; they think they are doing enough but failing silently."
Then, Johnson added, either an auditor will come in and find these vulnerabilities or, worse, they find out the hard way following a privacy or security breach.