OIG to CMS: Significant Hospital Security Vulnerabilities Are Going Undetected

June 24, 2011
Last week, the Department of Health and Human Services Office of Inspector General ("OIG") issued an audit report that took the Centers for Medicare

Last week, the Department of Health and Human Services Office of Inspector General ("OIG") issued an audit report that took the Centers for Medicare and Medicaid Services ("CMS") to task for ineffective and incomplete enforcement of the HIPAA Security Rule. OIG charged that the CMS's approach to Security Rule enforcement has left "significant vulnerabilities" with respect to electronic medical records undetected at U.S. hospitals.

The OIG recommended that CMS establish policies and procedures for conducting security compliance reviews of HIPAA covered entities. CMS has already begun responding to the OIG's recommendations, which were apparently disclosed to CMS prior to public issuance of the audit report. As OIG noted, "After we completed our fieldwork but before we issued our report, CMS executed a contract to conduct compliance reviews at covered entities."

CMS has thus far taken a reactive, complaint-driven approach to Security Rule enforcement, much like the HHS Office for Civil Rights has done with the HIPAA Privacy Rule. CMS acting Administrator Kerry Weems responded to the OIG with a defense of CMS's complaint-driven enforcement process, stating that these efforts have furthered industry education and voluntary compliance.

The OIG countered that its audit included examination of one hospital's implementation of the Security Rule and found significant vulnerabilities with respect to protection of electronic protected health information ("ePHI"). The OIG has also begun security audits of seven other hospitals around the country.

The lesson here for hospitals is that CMS is feeling pressure from OIG to be more vigorous, aggressive and proactive in its enforcement of the HIPAA Security Rule. Because a hospital's security compliance deficiencies and vulnerabilities are often not evident to its patients, the Security Rule has not been a particularly good fit for complaint-driven enforcement. Of the 16,000 total HIPAA complaints that HHS had received as of October 31, 2005, only 413 involved potential Security Rule violations. Hospitals should evaluate whether their HIPAA Security Rule compliance programs would withstand scrutiny if CMS arrived onsite one day and "looked under the hood."

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?