Holes in oversight and enforcement of the Health Insurance Portability and Accountability Act — or HIPAA — need to be addressed, the Department of Health and Human Services' inspector general has found.
In the report, the IG's office expresses concern about the competence of the HHS Office for Civil Rights, which oversees and endorses the HIPAA Security Rule. The Security Rule describes the "administrative, physical and technical safeguards necessary to ensure the confidentiality, integrity and availability of ePHI" — or electronic protected health information, according to the report.
The IG also found that the OCR failed to assess risks, establish priorities or enforce controls for periodic audits of compliance with the Security Rule.
There were also concerns about how violations of the Security Rule were reported and how investigations were filed and carried out by OCR.
OCR also failed to get the approval of HHS to operate three systems used to oversee and enforce the Security Rule.
The IG's office recommended OCR begin having periodic audits and enforce more controls to make sure all procedures are followed.