Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule

The Office for Civil Rights (OCR) did not meet certain Federal requirements critical to the oversight and enforcement of the Health Insurance Portability and Accountability Act Security Rule (Security Rule). OCR had not assessed risks, established priorities, or implemented controls for its Federal requirements to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements. In addition, OCR's Security Rule investigation files did not contain required documentation supporting key decisions made because management had not implemented sufficient controls, including supervisory review and documentation retention, to ensure investigators follow investigation policies and procedures for properly initiating, processing, and closing Security Rule investigations. Further, OCR had not fully complied with Federal cybersecurity requirements for its information systems used to process and store investigation data because it focused on system operability to the detriment of system and data security.

We recommended that OCR (1) assess the risks, establish priorities, and implement controls for its HITECH auditing requirements; (2) provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities; (3) implement sufficient controls, such as supervisory reviews and documentation retention, to ensure policies and procedures for Security Rule investigations are followed; and (4) implement the National Institute of Standards and Technology Risk Management Framework for systems used to oversee and enforce the Security Rule. In its comments on our draft report, OCR generally concurred with our recommendations and described the actions it has taken to address them. In specific comments on our second recommendation, however, OCR explained that no funds had been appropriated for it to maintain a permanent audit program and that funds used to support audit activities previously conducted were no longer available.

Filed under: General Departmental