Audit Finds Lax Enforcement of HIPAA Security Provisions

The federal Centers for Medicare and Medicaid Services (CMS) needs to do a better job of monitoring compliance with HIPAA security standards by health plans participating in Medicare, the Medicare Part D prescription drug program, and other public programs, according to a report by the Inspector General's Office.

Specifically, CMS needs to adopt an ongoing, proactive monitoring system to ensure compliance with security standards rather than rely on the“ complaint-based” system currently in use by which the agency responds to breaches of security standards when a complaint is received.

The Security Rule of HIPAA (the Health Insurance Portability and Accountability Act of 1996) established national standards that protect the confidentiality and integrity of electronic health information (ePHI) while it is being stored or transmitted between entities. In 2003 the U.S. Department of Health and Human Services delegated to CMS the authority and responsibility to interpret, implement, and enforce the HIPAA Security Rule provisions; conduct compliance reviews and investigate and resolve complaints of HIPAA Security Rule noncompliance; and civil monetary penalties for a covered entity's failure to comply with the HIPAA Security Rule provisions (Psychiatric News, June 17, 2005; January 3, 2003).

But an October report from the Inspector General's Office titled“ Nationwide Review of the Centers for Medicare and Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight” stated that CMS has not lived up to its mandate.

“CMS had taken limited act ions to ensure that covered entities adequately implement the HIPAA Security Rule,” according to the report.“ These actions had not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities. Although authorized to do so by federal regulations, CMS had not conducted any HIPAA Security Rule compliance reviews of covered entities. To fulfill its oversight responsibilities, CMS relied on complaints to identify any noncompliant covered entities that it might investigate. As a result, CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI was being adequately protected.

“Our ongoing audits of various hospitals nationwide indicate that CMS needs to become proactive in overseeing and enforcing implementation of the HIPAA Security Rule by focusing on compliance reviews,” the inspector general's report stated. “Preliminary results of these audits show numerous, significant vulnerabilities in the systems and controls intended to protect ePHI at covered entities. These vulnerabilities place the confidentiality and integrity of ePHI at high risk.”

Although CMS's complaint-driven enforcement process has furthered the goal of voluntary compliance, the significant vulnerabilities identified at hospitals throughout the country would not generally have been identified in HIPAA Security Rule complaints. In fact, CMS has received very few complaints regarding potential HIPAA Security Rule violations. Including compliance reviews of covered entities in its oversight process will enhance CMS's ability to determine whether the HIPAA Security Rule is being properly implemented, according to the inspector general.

As part of its audit of CMS, the Inspector General's Office audited the HIPAA Security Rule implementation at one hospital and found significant“ vulnerabilities” in systems and controls intended to protect ePHI. In addition, the inspector general began audits at seven other hospitals around the country. The preliminary results have also identified significant“ vulnerabilities” with the hospitals' implementation of the administrative, technical, and physical safeguard provisions of the HIPAA Security Rule.

“These vulnerabilities place the confidentiality and integrity of ePHI at risk and would not generally be included in complaints,” according to the report.

“Nationwide Review of the Centers for Medicare and Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight” is posted at<http://oig.hhs.gov/oas/reports/region4/40705064.pdf>.▪