Health Information Management

Protect ePHI in light of new OIG report

HIM-HIPAA Insider, November 11, 2008

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

The Office of Inspector General (OIG) issued a final report October 27 reviewing CMS’ HIPAA security rule oversight, implementation, and enforcement. The largely critical report ("Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight [A-04-07~05064]") describes the OIG’s findings and recommendations for CMS, but it also sends a message to covered entities.

"This is a formalized wakeup call for CMS; as an enforcement arm, it will be held accountable to fulfill its duties," says John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and former chairperson of the team that created the HIPAA security rule. "But it also says to the healthcare industry that CMS is going to be coming after you."

According to the report, OIG audits of several hospitals showed "numerous, significant vulnerabilities" in security systems intended to protect electronic protected health information (ePHI), leaving it at high risk. Further, it determined that complaints would not have exposed many of the vulnerabilities the OIG has since found. As a result of its findings, the OIG recommended that CMS conduct compliance reviews. CMS contracted with PricewaterhouseCoopers to conduct reviews following the OIG investigation but prior to the release of the OIG report.

To view the report, visit

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!


1 comments on “Protect ePHI in light of new OIG report

Jorge (2/20/2013 at 9:37 PM)
where can I get a sample or teplamte BA that includes HIPAA and HITECH provisions? We are seeing more indemnification language, cost recovery language,etc. in BAs now than what we feel the BA was originally intended thoughts?


Most Popular