On July 31, HHS Secretary Kathleen Sebelius announced she was transferring authority for enforcing the security rule provisions under the Health Insurance Portability and Accountability Act from the CMS to the Civil Rights Office at HHS. The transfer was to take effect immediately. Until that date, and beginning in April 2005, the CMS had had primary oversight responsibilities regarding the security rule.
Here's how the CMS did during its period of
HIPAA security rule stewardship.
According to the CMS,
it investigated 428 security complaints. Of those, 55 resulted in requiring a so-called HIPAA “covered entity” to come up with a corrective action plan to cure security deficiencies. Corrective work on almost all of those plans has been completed, according to the CMS. Any “open” plans with remaining milestones will be monitored by the Civil Rights Office going forward.
In addition, between 2007 and 2008, the CMS hired contractors to conduct 18 on-site compliance reviews that evaluated healthcare organizations for their risk management plans, policies, procedures, technologies and physical safeguards. Several compliance reviews yielded corrective action plans, some of which are among those still open, according to CMS.
Of the 428 security complaints and subsequent investigations over the four years and three months of its jurisdiction, the CMS levied no civil monetary penalties against security violators. The unblemished CMS record, however, was greatly surpassed by the Civil Rights Office, which began enforcing the HIPAA privacy rule in April 2003. The Civil Rights Office has fielded more than 44,000 complaints through June 30 of this year, according to its Web site, and closed more than 8,700 cases it investigated. Over more than six years of enforcement, however, the Civil Rights Office, like the CMS, has not issue a single civil monetary penalty. Civil penalties are $100 per violation capped at $25,000 per year for each requirement violated.
Last year, the CMS did join with the Civil Rights Office in
one enforcement action that resulted in a settlement agreement with Providence Health & Services, Seattle, after tapes and other storage media bearing records of more than 300,000 patients were stolen from a hospital employee's vehicle. The agreement included a $100,000 “resolution amount,” but Providence did not concede in the agreement that the incidents were HIPAA rule violations.
In October 2008, the inspector general's office at CMS
issued a report blasting the agency for lax enforcement of the HIPAA security rule.
What do you think? Submit a letter to Your Views. Please include your name, title, company and hometown. Health IT Strategist reserves the right to edit all submissions.
Also, please share your thoughts by taking our latest HITS reader poll.
