The Office of the Inspector General (OIG) for the U.S. Department of Health and Human Services (HHS) released a report on the oversight and enforcement actions conducted by the Center for Medicare and Medicaid Services (CMS) pertaining to hospitals’ implementation of the HIPAA Security Rule. The OIG conducted its audits at CMS in Baltimore, Maryland, and seven hospitals in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas. The OIG concluded that CMS oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Security Rule to safeguard electronic protected health information (ePHI).
Specifically, in 7 hospitals throughout the Nation, the OIG identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized to be high impact, 24 to be medium impact, and 3 to be low impact. The OIG has concluded that these high impact vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. The OIG identified a host of vulnerabilities representing failures in all three categories (technical, physical and administrative) of the Security Rule.
The OIG’s primary criticism focused on CMS limiting its reviews to only entities that had had complaints filed against them, were identified in the media as potentially violating the Security Rule, or were recommended by OCR. In following, the OIG recommended resolving these vulnerabilities by subjecting covered entities that had not otherwise been identified or recommended to increased CMS audit and review.
This report highlights the need for providers to comply with the administrative, physical, and technical safeguards mandated by the HIPAA Privacy and Security rules; obtain the resources available to develop and implement these mandates; and recognize the potential penalties for failure to effectuate these mandates in a timely manner.
This post was contributed by Charles Dunham.