Corporate Compliance

OIG calls CMS out for lack of action in HIPAA enforcement

Healthcare Auditing Weekly, November 4, 2008

The OIG blasted CMS for its limited enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in an October 27 report.
In October 2003, the Department of Health and Human Services gave CMS authority to:
  • Interpret, implement, and enforce the HIPAA Security Rule provisions
  • Conduct compliance reviews and to investigate and resolve complaints of HIPAA Security Rule noncompliance
  • Impose civil monetary penalties for a covered entity’s failure to comply with the HIPAA Security Rule provisions
After a recent review, the OIG concluded CMS has “taken limited action to ensure that covered entities adequately implement the HIPAA Security Rule.” The report revealed CMS has not conducted a compliance review of covered entities. The report said CMS fulfilled its oversight responsibilities by relying on complaints to identify noncompliance. The OIG, however, found this process unproductive despite praising it as an “effective process for receiving, categorizing, tracking, and resolving complaints.”
The OIG also said in its report that CMS needs to “become proactive in overseeing and enforcing implementation of the HIPAA Security Rule by focusing on compliance reviews.” The OIG recommended CMS establish policies and procedures for conducting compliance reviews.
CMS disagreed with the OIG’s findings and with the OIG’s statement that its oversight process was ineffective, but agreed with the recommendation for more specific polices.


0 comments on “OIG calls CMS out for lack of action in HIPAA enforcement


Most Popular