Dec. 4—Hospitals are no longer undergoing audits for compliance with a patient data privacy measure because the responsible Department of Justice (DOJ) office lacks oversight funding, according to a federal watchdog.

The Office of Inspector General (OIG) reported Dec. 4 that the DOJ’s Office for Civil Rights (OCR) has ceased to audit hospitals for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as required by another 2008 law. 

The Health Information Technology for Economic and Clinical Health Act (HITECH) created the federal electronic health record incentive program that provided billions of dollars in assistance for hospitals and other providers to purchase and install the digital recordkeeping systems. The law also deemed mandatory previously voluntary audits of providers to ensure they implemented the “administrative, physical, and technical safeguards necessary to ensure the confidentiality, integrity, and availability of” patient data.

The report found that the OCR had audited 115 HIPAA covered entities (47 health plans, 61 healthcare providers, and 7 clearinghouses) as part of its “pilot audit program.”

“However, OCR explained that no funds had been appropriated for it to maintain a permanent audit program and that funds used to support audit activities previously conducted were no longer available,” the OIG reported.

The audits, which were contracted out to KPMG, found providers generally had greater compliance “gaps” than insurers and clearinghouses. Additionally, small healthcare entities were more likely to fall short in every area measured: privacy, security, and breach notification.

Another contractor, PwC, is assessing the results of the study and is expected to report its findings before the end of 2013.

“Based upon the findings and recommendations of PWC's evaluation, OCR will make decisions about a permanent audit program,” Leon Rodriguez, director of OCR, wrote the OIG.

Publication Date: Wednesday, December 04, 2013