The OIG findings and recommendation
Patient Financial Services Weekly Advisor, November 7, 2008
CMS’ limited actions in terms of security rule implementation have “not provided effective oversight or encouraged enforcement” of covered entities, according to the report. Because CMS only investigated noncompliant covered entities when it received a complaint, the OIG also determined that “CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI [electronic protected health information] was being adequately protected.”
OIG audits of multiple covered entities confirmed this fact. According to the report, OIG audits of several hospitals showed “numerous, significant vulnerabilities” in security systems intended to protect ePHI, leaving it at high risk. Further, it determined that complaints would not have exposed many of the vulnerabilities the OIG has since found.
“If you just focus on a complaint, and resolving that complaint, that’s not enough,” says Kate Borten, CISSP, CISM, president of The Marblehead (MA) Group. “The OIG went in and found all these other problems that would never have come to light without a full compliance review.”
There are generally fewer security rule complaints compared to privacy rule complaints; the Office for Civil Rights had received more than 16,000 privacy rule complaints as of October 31, 2005, whereas CMS received approximately 400 security rule complaints during the same time period. This is because security rule violations are largely hidden from the public eye, not because the problems don't exist, Borten says.
As a result of its findings, the OIG recommended that CMS conduct compliance reviews. CMS contracted with PricewaterhouseCoopers to conduct reviews following the OIG investigation but prior to the release of the OIG report.
Click here to read the report.
Comments
0 comments on “The OIG findings and recommendation ”
Related Products
-
Recovery Auditor Report
The Recovery Auditor Report is a free biweekly e-newsletter of useful tips and strategies to get you prepared for the...
-
Medicare Update for CAHs
Medicare Update for CAHs is a free bi-weekly ezxne that provides specialized information for our CAH (critical access...
Most Popular
- Articles
-
- HIPAA Q&A: Answering service messages
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Q&A: Coding for dry skin due to cold weather
- Q/A: Volume requirement for reporting hydration services
- Are your workforce members texting PHI?
- Topic: CMS, OESS post new security compliance review information, checklist
- What does case-mix index mean to you?
- Privacy, security concerns high in HIEs
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Q/A: Volume requirement for reporting hydration services
- HIPAA Q&A: Level of encryption needed for email
- HIPAA Q&A: Answering service messages
- HIPAA Q&A: TPO disclosures to a business associate
- Are your workforce members texting PHI?
- Q&A: Coding for dry skin due to cold weather
- Hospitalist-surgeon comanagement has no effect on outcomes
- Don't let these sentinel events trigger falsely
- Correctly bill ancillary bedside procedures in addition to the room rate
- Searched