This week the Department of Health and Human Services (HHS) Office of Inspector General (OIG) released a very interesting assessment of how well, and how effectively, the Centers for Medicare & Medicaid Services (CMS) was performing their Health Insurance Portability and Accountability Act (HIPAA) oversight responsibilities.
The report is 19 pages long, but here are the primary messages from the report…
“To fulfill its oversight responsibilities, CMS relied on complaints to identify any noncompliant covered entities that it might investigate. As a result, CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI was being adequately protected.”
“However, as of August 24, 2007, CMS had not established any policies or procedures for conducting compliance reviews at covered entities. CMS officials explained that they were not conducting HIPAA Security Rule compliance reviews because they relied solely on complaints to promote voluntary compliance. This approach has met with limited success because CMS has received very few complaints regarding potential HIPAA Security Rule violations.
ELECTRONIC PROTECTED HEALTH INFORMATION AT RISK
As of August 24, 2007, CMS had not implemented proactive compliance reviews and therefore had no effective way to determine whether covered entities were complying with HIPAA Security Rule provisions. Nor did CMS know how vulnerable ePHI was to attack by individuals intent on accessing and misusing protected health information.
As part of our audit of CMS, we audited the HIPAA Security Rule implementation at one hospital and found significant vulnerabilities in the hospital’s systems and controls intended to protect ePHI. In addition, we began audits at seven other hospitals around the country. The preliminary results have also identified significant vulnerabilities with the hospitals’ implementation of the administrative, technical, and physical safeguard provisions of the HIPAA
Security Rule. These vulnerabilities place the confidentiality and integrity of ePHI at risk and would not generally be included in complaints.
RECOMMENDATION
We recommend that CMS establish policies and procedures for conducting HIPAA Security Rule compliance reviews of covered entities.”
Amazing.
CMS did not even have, after all these years of oversight responsibility, documented policies or procedures in place for HIPAA compliance reviews.
CMS did not know how vulnerable electronic protected health information (ePHI) was even though “As of October 31, 2005, OCR had received and initiated review of over 16,000 complaints.” This was only within a few short months!
I couldn’t find how many total complaints they have received to this date.
After having been made responsible for HIPAA Security Rule compliance in 2003, 5 years later the oversight agency still had no process in place for enforcement.
Lack of holding government agencies responsible for doing their jobs is much too common.
Is this going to change with the new administration?
Tags: awareness and training, CMS, HHS, HIPAA, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training