Inspector general knocks HIPAA security oversight - Via Gov Health IT:

A review by the Department of Health and Human Service has found the Centers for Medicare and Medicaid Service wanting when it comes to oversight of health information security.

HHS’ Office of the Inspector General issued a report Oct. 27 that finds CMS has fallen short of its charter to enforce the Health Insurance Portability and Accountability Act’s security provisions. The report states that “limited actions” by CMS have “not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities.”

HIPAA establishes security standards for ensuring that only authorized parties may access personally identifiable health information. The standards, according to CMS, fall into three categories: administrative, physical, and technical safeguards. Covered entities include health care providers or insurance plans that transmit health information in electronic form.

The IG’s office conducted field work for a CMS audit in 2007. As of Aug, 24 of last year, the IG found “CMS had not implemented proactive compliance reviews and therefore had no effective way to determine whether covered entities were complying with HIPAA Security Rule provisions.”

As part of its field work, the IG conducted a HIPAA security audit at one hospital and discovered “significant vulnerabilities in the hospital’s systems and controls” intended to protect personally identifiable health information. Preliminary results from seven other hospital audits uncovered vulnerabilities as well, the report states.

The report acknowledged that the field work was undertaken prior to CMS’ contract to do compliance reviews. In January, CMS contracted with PriceWaterhouseCoopers to help with the compliance reviews. A CMS spokesman said they have conducted 10 hospital compliance reviews thus far.

In general, the report takes issue with CMS’s “complaint driven enforcement” process. CMS, according to the HHS' IG, relies on complaints to identify the organizations it might investigate. The report contends that reliance on complaints alone has proven ineffective for finding organizations that have failed to comply with the security rule.

“What CMS has been doing -- which the Office for Civil Rights has been doing on the privacy side -- is to wait for people to come to them and point out problems,” noted Kirk Nahra, a partner with Wiley Rein, a law firm with offices in Washington D.C. and Northern Virginia. HHS’ Office for Civil Rights investigates complaints regarding HIPAA’s privacy rule.

The IG, on the other hand, appears to prefer that CMS go out and check on people, Nahra said. The more proactive enforcement mode requires resources, however. “At the end of the day, that is a resource allocation issue,” Nahra said.

The report notes that CMS disagreed with the IG’s finding, “because it believes that its complaint-driven enforcement process has furthered the goal of voluntary compliance.” However, the report also said CMS agreed that compliance reviews are “a useful enforcement tool as part of a more comprehensive enforcement strategy.”

In its formal response to the report, CMS said the IG's "singular focus on compliance reviews neglects the value that other methods, such as complaint investigation and resolution, increased outreach to industry, and education, have demonstrated in improving compliance."

(Read Original Article - Via Gov Health IT .)