The following caught my eye last week.
A review by the Health and Human Services Department has found the Centers for Medicare and Medicaid Services wanting when it comes to oversight of health information security.
HHS’ Office of the Inspector General issued a report Oct. 27 that finds CMS has fallen short of its charter to enforce the Health Insurance Portability and Accountability Act’s security provisions. The report states that “limited actions” by CMS have “not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities.”
HIPAA establishes security standards for ensuring that only authorized parties may access personally identifiable health information. The standards, according to CMS, fall into three categories: administrative, physical, and technical safeguards. Covered entities include health care providers or insurance plans that transmit health information in electronic form.
The IG’s office conducted field work for a CMS audit in 2007. As of Aug, 24 of last year, the IG found “CMS had not implemented proactive compliance reviews and therefore had no effective way to determine whether covered entities were complying with HIPAA Security Rule provisions.”
As part of its field work, the IG conducted a HIPAA security audit at one hospital and discovered “significant vulnerabilities in the hospital’s systems and controls” intended to protect personally identifiable health information. Preliminary results from seven other hospital audits uncovered vulnerabilities as well, the report states.
More information is found here:
The Executive Summary of the full reports is as follows:
Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight
We found that the Centers for Medicare and Medicaid Services (CMS) had taken limited actions to ensure that covered entities adequately implemented the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. These actions had not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities. The HIPAA Security Rule requires a covered entity, such as a health plan or health care provider that transmits any health information in electronic form, to (1) ensure the integrity and confidentiality of the information, (2) protect against any reasonably anticipated threats or risks to the security or integrity of the information, and (3) protect against unauthorized uses or disclosures of the information.
CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that electronic protected health information was being adequately protected. We noted that CMS had an effective process for receiving, categorizing, tracking, and resolving complaints.
We recommended that CMS establish policies and procedures for conducting HIPAA Security Rule compliance reviews of covered entities. CMS did not agree with our findings because it believed that its complaint-driven enforcement process has furthered the goal of voluntary compliance. However, CMS agreed with our recommendation to establish specific policies and procedures for conducting compliance reviews of covered entities. We maintain that adding these reviews to its oversight process will enhance CMS's ability to determine whether the HIPAA Security Rule is being properly implemented.
This page and a link to a download of the full report is found here:
This audit report is a reminder that, if privacy is going to be protected, and seen to be protected, passing laws is only the first step. Implementation, enforcement and review mechanisms are also crucial.
The lesson for those elsewhere implementing e-Health project is quite clear and needs to be heeded.