From 2003 to 2008, CMS did not conduct any Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule compliance reviews for covered entities although it was authorized by statute and regulations adopted by HHS to conduct these reviews. The HIPAA Security Rule requires a covered entity, such as a health plan or health care provider that transmits any health information in electronic form to: (1) ensure the integrity and confidentiality of the information; (2) protect against any reasonably anticipated threats or risks to the security or integrity of the information; and (3) protect against unauthorized uses or disclosures of the information. CMS has no effective means to ensure that covered entities were complying with the HIPAA Security Rule or that electronic protected health information (ePHI) was being adequately protected.
CMS did have an effective process for receiving, categorizing, tracking, and resolving complaints during oversight and enforcement of covered entities' implementation of the HIPAA Security Rule, but CMS' reliance on complaints alone was ineffective for identifying noncompliant covered entities. CMS developed and implemented detailed procedures for receiving complaints, communicating with filed-against entities, coordinating with the Office for Civil Rights for complaints with privacy elements, developing corrective action plans, and remediating complaints. However, preliminary results of OIG audits at hospitals nationwide demonstrated numerous, significant vulnerabilities in the systems and controls intended to protect ePHI at covered entities. The OIG recommended that CMS become proactive in overseeing and enforcing implementation of the HIPAA Security Rule by focusing on compliance reviews.
CMS' assessment
CMS did not agree with the Office of Inspector General (OIG) findings because it believed that its complaint-driven enforcement process furthered the goal of voluntary compliance. The agency stated that the OIG equated the effectiveness of CMS' enforcement activities with the presence or absence of a compliance review program. CMS agreed that compliance reviews were part of a comprehensive enforcement strategy, but one of several tools that could be used to promote compliance. The OIG's singular focus on compliance reviews neglected the value that other methods, such as complaint investigation and resolution, increased outreach to industry and education, had in improving compliance.
However, CMS began taking steps to conduct compliance reviews once the OIG completed its fieldwork and before issuance of the report. CMS negotiated a contract with a professional service company to conduct compliance reviews at covered entities which included onsite reviews of certain covered entities. The onsite review would assess the entity's (1) compliance with the facts of the allegations in a complaint and (2) overall security practices, risk assessment, policies and procedures.
Source: OIG Report, No. A-04-07-05064, Sept. 10, 2007.
For more information on this and related topics, consult the CCH® Medicare and Medicaid Guide.
Visit our News Library to read more news stories.
