If you follow HHS’s public breach tool and investigations closely, two reports from the Office of the Inspector General (OIG) finding lax oversight and insufficient follow-up will come as no surprise. Susan Hall of FierceHealthIT has a good recap:
The former report was based on reviews of a statistical sample of privacy cases investigated by OCR between September 2009 and March 2011. The latter report was based on audits in which OIG reviewed a statistical sample of large breaches–those affecting 500 people or more–and of small breaches over that same time period. OCR staff members also were interviewed for both reports.
For the former report, OIG called OCR’s oversight “primarily reactive,” adding that OCR has yet to fully implement its audit program to proactively assess possible noncompliance from covered entities.
[…]
The latter report determined that 23 percent of large cases in which a HIPAA violation was found had incomplete documentation of the corrective actions taken.
Read more on FierceHealthIT.