The federal Centers for Medicare and Medicaid Services (CMS) needs to do a
better job of monitoring compliance with HIPAA security standards by health
plans participating in Medicare, the Medicare Part D prescription drug
program, and other public programs, according to a report by the Inspector
Specifically, CMS needs to adopt an ongoing, proactive monitoring system to
ensure compliance with security standards rather than rely on the"
complaint-based" system currently in use by which the agency
responds to breaches of security standards when a complaint is received.
The Security Rule of HIPAA (the Health Insurance Portability and
Accountability Act of 1996) established national standards that protect the
confidentiality and integrity of electronic health information (ePHI) while it
is being stored or transmitted between entities. In 2003 the U.S. Department
of Health and Human Services delegated to CMS the authority and responsibility
to interpret, implement, and enforce the HIPAA Security Rule provisions;
conduct compliance reviews and investigate and resolve complaints of HIPAA
Security Rule noncompliance; and civil monetary penalties for a covered
entity's failure to comply with the HIPAA Security Rule provisions
(Psychiatric News, June 17, 2005; January 3, 2003).
But an October report from the Inspector General's Office titled"
Nationwide Review of the Centers for Medicare and Medicaid Services
Health Insurance Portability and Accountability Act of 1996 Oversight"
stated that CMS has not lived up to its mandate.
"CMS had taken limited act ions to ensure that covered entities
adequately implement the HIPAA Security Rule," according to the report."
These actions had not provided effective oversight or encouraged
enforcement of the HIPAA Security Rule by covered entities. Although
authorized to do so by federal regulations, CMS had not conducted any HIPAA
Security Rule compliance reviews of covered entities. To fulfill its oversight
responsibilities, CMS relied on complaints to identify any noncompliant
covered entities that it might investigate. As a result, CMS had no effective
mechanism to ensure that covered entities were complying with the HIPAA
Security Rule or that ePHI was being adequately protected.
"Our ongoing audits of various hospitals nationwide indicate that CMS
needs to become proactive in overseeing and enforcing implementation of the
HIPAA Security Rule by focusing on compliance reviews," the inspector
general's report stated. "Preliminary results of these audits show
numerous, significant vulnerabilities in the systems and controls intended to
protect ePHI at covered entities. These vulnerabilities place the
confidentiality and integrity of ePHI at high risk."
Although CMS's complaint-driven enforcement process has furthered the goal
of voluntary compliance, the significant vulnerabilities identified at
hospitals throughout the country would not generally have been identified in
HIPAA Security Rule complaints. In fact, CMS has received very few complaints
regarding potential HIPAA Security Rule violations. Including compliance
reviews of covered entities in its oversight process will enhance CMS's
ability to determine whether the HIPAA Security Rule is being properly
implemented, according to the inspector general.
As part of its audit of CMS, the Inspector General's Office audited the
HIPAA Security Rule implementation at one hospital and found significant"
vulnerabilities" in systems and controls intended to protect
ePHI. In addition, the inspector general began audits at seven other hospitals
around the country. The preliminary results have also identified significant"
vulnerabilities" with the hospitals' implementation of the
administrative, technical, and physical safeguard provisions of the HIPAA
"These vulnerabilities place the confidentiality and integrity of
ePHI at risk and would not generally be included in complaints,"
according to the report.
"Nationwide Review of the Centers for Medicare and Medicaid
Services Health Insurance Portability and Accountability Act of 1996
Oversight" is posted at<http://oig.hhs.gov/oas/reports/region4/40705064.pdf>.▪