Corporate Compliance

OIG reports cite weakness in OCR and ONC efforts to protect ePHI

Compliance Monitor, May 18, 2011

by Andrea Kraynak, CPC, senior managing editor, HCPro, Inc.

The HHS Office of the Inspector General (OIG) released two reports May 17 questioning the efforts of the Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) in helping to ensure the protection of electronic protected health information (ePHI).

The report on the audit of ONC’s security efforts, “Audit of Information Technology Security Included in Health Information Technology Standards,” notes that ONC has application IT security controls in the interoperability specification but no HIT standards for general information IT security controls  (e.g., policies and procedures for an organization’s overall computer operations or to create a secure environment for application systems and controls).

“We found a lack of general IT security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals. Those vulnerabilities, combined with our findings in this audit, raise concern about the effectiveness of IT security for HIT if general IT security controls are not addressed,” according to the report.

OIG reccomends that the ONC take a number of steps in addition to developing standards for general IT security controls, including offering guidance on HIT security standards and best practices to the industry, emphasizing the importance of HIT and working with the OCR and CMS to develop security controls.

Meanwhile, the report detailing the OCR’s and CMS’ efforts, “Nationwide Rollup Review of the CMS HIPAA Oversight,” focuses on seven hospital audits. OIG identified 151 vulnerabilities concerning ePHI, the vast majority of which it categorized as “high impact”. Issues included wireless access vulnerabilities, ineffective encryption, and lack of monitoring. The report stated the following: 

These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.

The report found CMS’ prior enforcement actions to be insufficient and notes that while the OCR has a process for conducting compliance reviews in situations unrelated to complaints, it has not done so.

Most Popular