HHS inspector generals office has blasted the CMS for lax enforcement of the security rule under the 1996 Health Insurance Portability and Accountability Act, saying in an accompanying letter to CMS acting Administrator Kerry Weems that the inspector generals own audits of hospital security systemsaudits of the type the CMS should have performedshow numerous, significant vulnerabilities that put patient data at high risk.
Under HIPAA, HHS delegated security-rule enforcement authority to the CMS.
The report said the CMS has done a good job establishing a mechanism to receive complaints from the public about security issues at healthcare organizations and also has effectively followed up with those organizations to remedy problems mentioned in the complaints. But that method alone was not enough to adequately safeguard patient information, the inspector generals office said in its 19-page report. The inspector generals report also said the CMS has received very few complaints regarding potential HIPAA security-rule violations.
The inspector general noted that although the CMS was authorized by federal regulations to conduct compliance reviews of covered organizations, it has failed to perform any since the security rule went into effect on Feb. 16, 2006.
As a result, the inspector general concluded, the CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA security rule or that ePHI (electronic protected health information) was being adequately protected. The inspector general recommended that the CMS establish policies and procedures for conducting HIPAA security-rule compliance reviews of covered entities.
To support its assertion that the current CMS approach is inadequate, the report said that as part of its audit of CMS security-enforcement procedures, the inspector general conducted one audit of an unnamed hospital and found significant vulnerabilities in the hospitals systems and controls intended to protect ePHI, the report stated. In addition, we began audits at seven other hospitals around the country. The preliminary results have also identified significant vulnerabilities with the hospitals implementation of the administrative, technical and physical safeguard provisions of the HIPAA rule.
In a three-page response, Weems said, We agree that compliance reviews are part of a comprehensive enforcement strategy, but also feel that they are but one of several tools that can be used to promote compliance. -- by Joseph Conn
What do you think? Post a comment on this article and share your opinion with other readers. Submit your comments to Modern Healthcare Online at [email protected]. Please be sure to include your hometown and state, along with your organization and title.