Health Information Management

OIG calls HIPAA security rule oversight and enforcement ineffective

HIM-HIPAA Insider, November 10, 2008

The Office of Inspector General (OIG) issued a largely critical final report October 27 reviewing CMS’ HIPAA security rule oversight, implementation, and enforcement.
 
The report, “Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight [A-04-07~05064],” describes the OIG’s findings and recommendations for CMS.  
 
CMS’ limited actions in terms of security rule implementation have “not provided effective oversight or encouraged enforcement” of covered entities, according to the report. CMS investigated only noncompliant covered entities upon receipt of complaints. For that reason, the OIG also determined that “CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI [electronic protected health information] was being adequately protected.”
 
OIG audits of multiple covered entities confirmed this fact. According to the report, OIG audits of several hospitals showed “numerous, significant vulnerabilities” in security systems intended to protect ePHI, leaving it at high risk. Further, it determined that complaints would not have exposed many of the vulnerabilities the OIG has since found.
 
As a result of its findings, the OIG recommended that CMS conduct compliance reviews. CMS contracted with PricewaterhouseCoopers to conduct reviews following the OIG investigation but before release of the OIG report.
 
“The OIG is now on record saying that this is a serious ongoing program that is going to be periodically watched,” says John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and former chairperson of the team that created the HIPAA security rule. “In other words, listen up. This isn’t a one-shot deal. You need to be audit-ready.”
 
To view the report, click here.

Comments

0 comments on “OIG calls HIPAA security rule oversight and enforcement ineffective

 

Most Popular