This blog tracks aging and disability news. Legislative information is provided via GovTrack.us.
In the right sidebar and at the page bottom, bills in the categories of Aging, Disability, Medicare, Medicaid, and Social Security are tracked.
Clicking on the bill title will connect to GovTrack updated bill status.
Thursday, October 30, 2008
DHHS OIG Nationwide Review of CMS HIPAA Oversight
On October 7, 2003, the U.S. Department of Health and Human Services delegated to CMS:
(I) the authority and responsibility to interpret, implement, and enforce the HIPAA Security Rule provisions; (2) the authority to conduct compliance reviews and to investigate and resolve complaints ofHIPAA Security Rule noncompliance; and (3) the authority to impose civil monetary penalties for a covered entity's failure to complywith the HIPAA Security Rule provisions. The Final Rule for enforcement of this delegation became effective on February 16, 2006.
Our objective was to evaluate the effectiveness of CMS's oversight and enforcement of covered entities' implementation of the HIPAA Security Rule.
CMS had taken limited actions to ensure that covered entities adequately implement the HIPAA Security Rule. These actions had not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities. Although authorized to do so by Federal, regulations as of February 16,2006, CMS had not conducted any HIPAA Security Rule compliance reviews of covered entities. To fulfill its oversight responsibilities, CMS r{{lied on complaints to identify any noncompliant covered entities that it might investigate. As a result, CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI was being adequately protected.
Although reliance on complaints alone was ineffective for identifying noncompliant covered entities, we noted that CMS had an effective process for receiving, categorizing, tracking, and resolving complaints. CMS has developed and implemented detailed procedures for receiving complaints, communicating with filed-against entities, coordinating with the Office for Civil Rights for complaints with privacy elements, developing corrective action plans, and remediating complaints.
Ongoing Office of Inspector General audits of various hospitals nationwide indicate that CMS needs to become more proactive in overseeing and enforcing implementation of the HIPAA Security Rule by focusing on compliance reviews. Preliminary results of these audits show numerous, significant vulnerabilities in the systems and controls intended to protect ePHI at covered entities. These vulnerabilities place the confidentiality and integrity of ePHI at high risk. During our audit, CMS began taking steps to conduct compliance reviews. After we completed our fieldwork but before we issued our report, CMS executed a contract to conduct compliance reviews at covered entities.
We recommend that CMS establish policies and procedures for conducting HIPAA Security Rule compliance reviews of covered entities.
CMS did not agree with our findings because it believes that its complaint-driven enforcement process has furthered the goal of voluntary compliance. CMS agreed, however, that compliance reviews are a useful enforcement tool as part of a more comprehensive enforcement strategy. CMS agreed with our recommendation to establish specific policies and procedures for conducting compliance reviews of covered entities but emphasized that compliance reviews are just one of several tools that can be used to promote compliance.
Although CMS’s complaint-driven enforcement process has furthered the goal of voluntary compliance, the significant vulnerabilities we identified at hospitals throughout the country would not generally have been identified in HIPAA Security Rule complaints. In fact, CMS has received very few complaints regarding potential HIPAA Security Rule violations. Including compliance reviews of covered entities to its oversight process will enhance CMS’s ability to determine whether the HIPAA Security Rule is being properly implemented.
OIG Report
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment