Skip to main content
Full access
Government News
Published Online: 5 December 2008

Audit Finds Lax Enforcement of HIPAA Security Provisions

The federal Centers for Medicare and Medicaid Services (CMS) needs to do a better job of monitoring compliance with HIPAA security standards by health plans participating in Medicare, the Medicare Part D prescription drug program, and other public programs, according to a report by the Inspector General's Office.
Specifically, CMS needs to adopt an ongoing, proactive monitoring system to ensure compliance with security standards rather than rely on the“ complaint-based” system currently in use by which the agency responds to breaches of security standards when a complaint is received.
The Security Rule of HIPAA (the Health Insurance Portability and Accountability Act of 1996) established national standards that protect the confidentiality and integrity of electronic health information (ePHI) while it is being stored or transmitted between entities. In 2003 the U.S. Department of Health and Human Services delegated to CMS the authority and responsibility to interpret, implement, and enforce the HIPAA Security Rule provisions; conduct compliance reviews and investigate and resolve complaints of HIPAA Security Rule noncompliance; and civil monetary penalties for a covered entity's failure to comply with the HIPAA Security Rule provisions (Psychiatric News, June 17, 2005; January 3, 2003).
But an October report from the Inspector General's Office titled“ Nationwide Review of the Centers for Medicare and Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight” stated that CMS has not lived up to its mandate.
“CMS had taken limited act ions to ensure that covered entities adequately implement the HIPAA Security Rule,” according to the report.“ These actions had not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities. Although authorized to do so by federal regulations, CMS had not conducted any HIPAA Security Rule compliance reviews of covered entities. To fulfill its oversight responsibilities, CMS relied on complaints to identify any noncompliant covered entities that it might investigate. As a result, CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI was being adequately protected.
“Our ongoing audits of various hospitals nationwide indicate that CMS needs to become proactive in overseeing and enforcing implementation of the HIPAA Security Rule by focusing on compliance reviews,” the inspector general's report stated. “Preliminary results of these audits show numerous, significant vulnerabilities in the systems and controls intended to protect ePHI at covered entities. These vulnerabilities place the confidentiality and integrity of ePHI at high risk.”
Although CMS's complaint-driven enforcement process has furthered the goal of voluntary compliance, the significant vulnerabilities identified at hospitals throughout the country would not generally have been identified in HIPAA Security Rule complaints. In fact, CMS has received very few complaints regarding potential HIPAA Security Rule violations. Including compliance reviews of covered entities in its oversight process will enhance CMS's ability to determine whether the HIPAA Security Rule is being properly implemented, according to the inspector general.
As part of its audit of CMS, the Inspector General's Office audited the HIPAA Security Rule implementation at one hospital and found significant“ vulnerabilities” in systems and controls intended to protect ePHI. In addition, the inspector general began audits at seven other hospitals around the country. The preliminary results have also identified significant“ vulnerabilities” with the hospitals' implementation of the administrative, technical, and physical safeguard provisions of the HIPAA Security Rule.
“These vulnerabilities place the confidentiality and integrity of ePHI at risk and would not generally be included in complaints,” according to the report.
“Nationwide Review of the Centers for Medicare and Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight” is posted at<http://oig.hhs.gov/oas/reports/region4/40705064.pdf>.

Information & Authors

Information

Published In

History

Published online: 5 December 2008
Published in print: December 5, 2008

Notes

CMS is urged to adopt an ongoing, proactive monitoring system to ensure compliance with HIPAA standards and replace the current complaint-based system.

Authors

Details

Metrics & Citations

Metrics

Citations

Export Citations

If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download.

For more information or tips please see 'Downloading to a citation manager' in the Help menu.

Format
Citation style
Style
Copy to clipboard

View Options

View options

Login options

Already a subscriber? Access your subscription through your login credentials or your institution for full access to this article.

Personal login Institutional Login Open Athens login

Not a subscriber?

Subscribe Now / Learn More

PsychiatryOnline subscription options offer access to the DSM-5-TR® library, books, journals, CME, and patient resources. This all-in-one virtual library provides psychiatrists and mental health professionals with key resources for diagnosis, treatment, research, and professional development.

Need more help? PsychiatryOnline Customer Service may be reached by emailing [email protected] or by calling 800-368-5777 (in the U.S.) or 703-907-7322 (outside the U.S.).

Media

Figures

Other

Tables

Share

Share

Share article link

Share