OIG calls HIPAA security rule oversight and enforcement ineffective
HIPAA Weekly Advisor, November 10, 2008
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
The Office of Inspector General (OIG) issued a largely critical final report October 27 reviewing CMS’ HIPAA security rule oversight, implementation, and enforcement.
The report, “Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight [A-04-07~05064],” describes the OIG’s findings and recommendations for CMS.
CMS’ limited actions in terms of security rule implementation have “not provided effective oversight or encouraged enforcement” of covered entities, according to the report. CMS investigated only noncompliant covered entities upon receipt of complaints. For that reason, the OIG also determined that “CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI [electronic protected health information] was being adequately protected.”
OIG audits of multiple covered entities confirmed this fact. According to the report, OIG audits of several hospitals showed “numerous, significant vulnerabilities” in security systems intended to protect ePHI, leaving it at high risk. Further, it determined that complaints would not have exposed many of the vulnerabilities the OIG has since found.
As a result of its findings, the OIG recommended that CMS conduct compliance reviews. CMS contracted with PricewaterhouseCoopers to conduct reviews following the OIG investigation but before release of the OIG report.
“The OIG is now on record saying that this is a serious ongoing program that is going to be periodically watched,” says John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and former chairperson of the team that created the HIPAA security rule. “In other words, listen up. This isn’t a one-shot deal. You need to be audit-ready.”
To view the report, click here.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Comments
0 comments on “OIG calls HIPAA security rule oversight and enforcement ineffective ”
Related Products
-
Guide to HIPAA Auditing, Second Edition
This new edition of a best-selling book delivers the hands-on tools and guidance you need to conduct effective in-house...
-
The No-Hassle Guide to HIPAA Policies: A Privacy and Security Toolkit
HIPAA regulations require extensive documentation—likely more than you've done in the past. Changing the way you look...
-
The HIPAA and HITECH Toolkit
The HIPAA and HITECH Toolkit is a valuable resource that helps both CEs and BAs understand and meet the HITECH Act's...
-
HIPAA Handbook for Nutrition, Environmental Services, and Volunteer Staff:
Train all of your staff members with this handbook and others in the 2009 HIPAA Handbook Series. Ensure they understand...
-
HIPAA Handbook for Registration and Front Office Staff
Train all of your staff members with this handbook and others in the 2009 HIPAA Handbook Series. Ensure they understand...
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- HIPAA Q&A: Level of encryption needed for email
- Identify potential Medicaid RAC target areas
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- CHANGES COMING: Key differences in nationwide rollout
- Searched