The Office of Inspector General issued a final report October 27 reviewing CMS' HIPAA security rule oversight, implementation, and enforcement.
The largely critical report ("Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight [A-04-07~05064]") describes the OIG's findings and recommendations for CMS, but it also sends a message to covered entities.
"This is a formalized wakeup call for CMS; as an enforcement arm, it will be held accountable to fulfill its duties," says John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and former chairperson of the team that created the HIPAA security rule. "But it also says to the healthcare industry that CMS is going to be coming after you."
The OIG findings and recommendation
CMS' limited actions in terms of security rule implementation have "not provided effective oversight or encouraged enforcement" of covered entities, according to the report. Because CMS only investigated noncompliant covered entities when it received a complaint, the OIG also determined that "CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI [electronic protected health information] was being adequately protected."
OIG audits of multiple covered entities confirmed this fact. According to the report, OIG audits of several hospitals showed "numerous, significant vulnerabilities" in security systems intended to protect ePHI, leaving it at high risk. Further, it determined that complaints would not have exposed many of the vulnerabilities the OIG has since found.
"If you just focus on a complaint, and resolving that complaint, that's not enough," says Kate Borten, CISSP, CISM, president of The Marblehead (MA) Group. "The OIG went in and found all these other problems that would never have come to light without a full compliance review."
There are generally fewer security rule complaints compared to privacy rule complaints; the Office for Civil Rights had received more than 16,000 privacy rule complaints as of October 31, 2005, whereas CMS received approximately 400 security rule complaints during the same time period. This is because security rule violations are largely hidden from the public eye, not because the problems don't exist, Borten says.
As a result of its findings, the OIG recommended that CMS conduct compliance reviews. CMS contracted with PricewaterhouseCoopers to conduct reviews following the OIG investigation but prior to the release of the OIG report.
The future of security rule audits
Security rule audits and reviews are not going away any time soon. In a response to the OIG's recommendation dated June 30, 2008, CMS acting administrator Kerry Weems agreed with the recommendation that CMS should implement policies and procedures for conducting compliance reviews of covered entities—both complaint-driven and not.
"We are definitely going to see more of these compliance reviews, not fewer," Borten says. "I think this year CMS is just testing the waters, getting their feet wet."
Weems also indicated that CMS and the OIG are considering possible future collaboration on security rule enforcement efforts, including compliance reviews, in fiscal year 2009. The OIG also has multiple audits of covered entities currently ongoing, according to the report.
"The OIG is now on record saying that this is a serious ongoing program that is going to be periodically watched," Parmigiani says. "In other words, listen up. This isn't a one-shot deal. You need to be audit-ready."
"The enforcement heat is on, and it could be turned up," he says.
To view the report, visit www.oig.hhs.gov/oas/reports/region4/40705064.pdf
For more detailed information on HIPAA security audits and compliance, Borten and Parmigiani will be speaking during a November 5 HCPro audio conference, "HIPAA Security Audits: Use Recent Findings to Develop an Effective Compliance Plan."