[Med-privacy] HIPAA enforcement

[peter marshall]

Inspector general knocks HIPAA security oversight
November 3, 2008  =97 MacRonin

Inspector general knocks HIPAA security oversight - Via Gov Health IT:

A review by the Department of Health and Human Service has found the=20
Centers for Medicare and Medicaid Service wanting when it comes to=20
oversight of health information security.

HHS=92 Office of the Inspector General issued a report Oct. 27 that =
finds=20
CMS has fallen short of its charter to enforce the Health Insurance=20
Portability and Accountability Act=92s security provisions. The report=20=

states that =93limited actions=94 by CMS have =93not provided effective=20=

oversight or encouraged enforcement of the HIPAA Security Rule by=20
covered entities.=94

HIPAA establishes security standards for ensuring that only authorized=20=

parties may access personally identifiable health information. The=20
standards, according to CMS, fall into three categories:=20
administrative, physical, and technical safeguards. Covered entities=20
include health care providers or insurance plans that transmit health=20
information in electronic form.

The IG=92s office conducted field work for a CMS audit in 2007. As of=20
Aug, 24 of last year, the IG found =93CMS had not implemented proactive=20=

compliance reviews and therefore had no effective way to determine=20
whether covered entities were complying with HIPAA Security Rule=20
provisions.=94

As part of its field work, the IG conducted a HIPAA security audit at=20
one hospital and discovered =93significant vulnerabilities in the=20
hospital=92s systems and controls=94 intended to protect personally=20
identifiable health information. Preliminary results from seven other=20
hospital audits uncovered vulnerabilities as well, the report states.

The report acknowledged that the field work was undertaken prior to=20
CMS=92 contract to do compliance reviews. In January, CMS contracted =
with=20
PriceWaterhouseCoopers to help with the compliance reviews. A CMS=20
spokesman said they have conducted 10 hospital compliance reviews thus=20=

far.

In general, the report takes issue with CMS=92s =93complaint driven=20
enforcement=94 process. CMS, according to the HHS' IG, relies on=20
complaints to identify the organizations it might investigate. The=20
report contends that reliance on complaints alone has proven=20
ineffective for finding organizations that have failed to comply with=20
the security rule.

=93What CMS has been doing -- which the Office for Civil Rights has been=20=

doing on the privacy side -- is to wait for people to come to them and=20=

point out problems,=94 noted Kirk Nahra, a partner with Wiley Rein, a =
law=20
firm with offices in Washington D.C. and Northern Virginia. HHS=92 =
Office=20
for Civil Rights investigates complaints regarding HIPAA=92s privacy=20
rule.

The IG, on the other hand, appears to prefer that CMS go out and check=20=

on people, Nahra said. The more proactive enforcement mode requires=20
resources, however. =93At the end of the day, that is a resource=20
allocation issue,=94 Nahra said.

The report notes that CMS disagreed with the IG=92s finding, =93because =
it=20
believes that its complaint-driven enforcement process has furthered=20
the goal of voluntary compliance.=94 However, the report also said CMS=20=

agreed that compliance reviews are =93a useful enforcement tool as part=20=

of a more comprehensive enforcement strategy.=94

In its formal response to the report, CMS said the IG's "singular focus=20=

on compliance reviews neglects the value that other methods, such as=20
complaint investigation and resolution, increased outreach to industry,=20=

and education, have demonstrated in improving compliance."

[Privacy Digest]