Last week, the Department of Health and Human Services Office of Inspector General ("OIG") issued an audit report that took the Centers for Medicare and Medicaid Services ("CMS") to task for ineffective and incomplete enforcement of the HIPAA Security Rule. OIG charged that the CMS's approach to Security Rule enforcement has left "significant vulnerabilities" with respect to electronic medical records undetected at U.S. hospitals.
The OIG recommended that CMS establish policies and procedures for conducting security compliance reviews of HIPAA covered entities. CMS has already begun responding to the OIG's recommendations, which were apparently disclosed to CMS prior to public issuance of the audit report. As OIG noted, "After we completed our fieldwork but before we issued our report, CMS executed a contract to conduct compliance reviews at covered entities."
CMS has thus far taken a reactive, complaint-driven approach to Security Rule enforcement, much like the HHS Office for Civil Rights has done with the HIPAA Privacy Rule. CMS acting Administrator Kerry Weems responded to the OIG with a defense of CMS's complaint-driven enforcement process, stating that these efforts have furthered industry education and voluntary compliance.
The OIG countered that its audit included examination of one hospital's implementation of the Security Rule and found significant vulnerabilities with respect to protection of electronic protected health information ("ePHI"). The OIG has also begun security audits of seven other hospitals around the country.
The lesson here for hospitals is that CMS is feeling pressure from OIG to be more vigorous, aggressive and proactive in its enforcement of the HIPAA Security Rule. Because a hospital's security compliance deficiencies and vulnerabilities are often not evident to its patients, the Security Rule has not been a particularly good fit for complaint-driven enforcement. Of the 16,000 total HIPAA complaints that HHS had received as of October 31, 2005, only 413 involved potential Security Rule violations. Hospitals should evaluate whether their HIPAA Security Rule compliance programs would withstand scrutiny if CMS arrived onsite one day and "looked under the hood."