Health Information Management

OIG reports cite weakness in OCR and ONC efforts to protect ePHI

HIM-HIPAA Insider, May 24, 2011

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

The Office of the Inspector General released two reports May 17 questioning the efforts of the Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) in helping to ensure the protection of electronic protected health information (ePHI).

The report on the audit of ONC’s security efforts, “Audit of Information Technology Security Included in Health Information Technology Standards,” notes that ONC has application IT security controls in the interoperability specification but no HIT standards for general information IT security controls  (e.g., policies and procedures for an organization’s overall computer operations or to create a secure environment for application systems and controls).
“We found a lack of general IT security controls during prior audits at Medicare contractors, state Medicaid agencies, and hospitals. Those vulnerabilities, combined with our findings in this audit, raise concern about the effectiveness of IT security for HIT if general IT security controls are not addressed,” the report stated.
OIG recommends that the ONC take a number of steps in addition to developing standards for general IT security controls, including offering guidance on HIT security standards and best practices to the industry, emphasizing the importance of HIT and working with the OCR and CMS to develop security controls.
Meanwhile, the report detailing the OCR’s and CMS’ efforts, “Nationwide Rollup Review of the CMS HIPAA Oversight,” focuses on seven hospital audits. OIG identified 151 vulnerabilities concerning ePHI, the vast majority of which it categorized as “high impact”. Issues included wireless access vulnerabilities, ineffective encryption, and lack of monitoring. The report stated the following:
These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.

The report found CMS’ prior enforcement actions to be insufficient and notes that while the OCR has a process for conducting compliance reviews in situations unrelated to complaints, it has not done so.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular