Audit Shows That After 5 Years CMS *STILL* Has No Documented Procedures For Ensuring HIPAA compliance
This week the Department of Health and Human Services (HHS) Office of Inspector General (OIG) released a very interesting assessment of how well, and how effectively, the Centers for Medicare & Medicaid Services (CMS) was performing their Health Insurance Portability and Accountability Act (HIPAA) oversight responsibilities.
The report is 19 pages long, but here are the primary messages from the report...
"To fulfill its oversight responsibilities, CMS relied on complaints to identify any noncompliant covered entities that it might investigate. As a result, CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI was being adequately protected.""However, as of August 24, 2007, CMS had not established any policies or procedures for conducting compliance reviews at covered entities. CMS officials explained that they were not conducting HIPAA Security Rule compliance reviews because they relied solely on complaints to promote voluntary compliance. This approach has met with limited success because CMS has received very few complaints regarding potential HIPAA Security Rule violations.
ELECTRONIC PROTECTED HEALTH INFORMATION AT RISK
As of August 24, 2007, CMS had not implemented proactive compliance reviews and therefore had no effective way to determine whether covered entities were complying with HIPAA Security Rule provisions. Nor did CMS know how vulnerable ePHI was to attack by individuals intent on accessing and misusing protected health information.
As part of our audit of CMS, we audited the HIPAA Security Rule implementation at one hospital and found significant vulnerabilities in the hospital's systems and controls intended to protect ePHI. In addition, we began audits at seven other hospitals around the country. The preliminary results have also identified significant vulnerabilities with the hospitals' implementation of the administrative, technical, and physical safeguard provisions of the HIPAA
Security Rule. These vulnerabilities place the confidentiality and integrity of ePHI at risk and would not generally be included in complaints.
RECOMMENDATION
We recommend that CMS establish policies and procedures for conducting HIPAA Security Rule compliance reviews of covered entities."
Amazing.
CMS did not even have, after all these years of oversight responsibility, documented policies or procedures in place for HIPAA compliance reviews.
CMS did not know how vulnerable electronic protected health information (ePHI) was even though "As of October 31, 2005, OCR had received and initiated review of over 16,000 complaints." This was only within a few short months!
I couldn't find how many total complaints they have received to this date.
After having been made responsible for HIPAA Security Rule compliance in 2003, 5 years later the oversight agency still had no process in place for enforcement.
Lack of holding government agencies responsible for doing their jobs is much too common.
Is this going to change with the new administration?
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
Rebecca, This is a perfect example of a couple of things. First, Government is way too big. It is impossible for any administration to effectively monitor and enforce every agency and act upon what they discover. So your question about whether or not the new administration will change this? Probably not unless privacy is a real concern of the administration. It obviously has not been of concern with the current one. I doubt that either a McCain or Obama administration will make a real difference in this but for different reasons. As long as we are at war or under the threat of terrorism (which unfortunately will probably be forever) then privacy will lose out.
The responsibility for this has to start at a much lower level than the President. The head of HHS has to do a much better job of monitoring his agencies and below him obviously the head of CMS. He apparently is to busy doing something other than his job. Maybe we should let him have a little more free time to pursue his other interest.
Posted by: Andy Willingham | October 31, 2008 7:34 AM
Andy, thanks for your thoughts!
I agree that in many ways government is too big, but in others ways they do not do enough, either.
Your point highlights the need to have the top executive of an organization, in this case the President of the U.S., be a strong and visible proponent of security and privacy in order to have it taken seriously. He (or she, some day) does not need to be an expert, but there DOES need to be an expert with some assigned authority for ensuring security and privacy issues are properly addressed, and that adequate oversight occurs.
The current administration has been documented by many groups as being lax on information security and privacy to get their other missions advanced, such as tracking terrorism, which you pointed out. However, doing appropriate activities to catch terrorists before they strike can be done while also ensuring accountability for keeping information security and preserving privacy for those individuals who, to date, have been given unbridled access to excessive amounts of personal information, with no accountability for the actions, and damages, that occur as a result of that access.
The next administration needs to ensure the government oversight groups and the regulatory compliance and law enforcement agencies are held accountable, and apply sanctions when they do inappropriate or negligent activities.
Posted by: Rebecca Herold
|
October 31, 2008 2:02 PM