OIG slams CMS for lack of HIPAA compliance enforcement
The Centers for Medicare & Medicaid Services (CMS) has taken limited actions to ensure that covered entities adequately implement the HIPAA Security Rule of 1996, and has not provided effective oversight or encouraged enforcement of the rule, according to a new report from the Office of the Inspector General (OIG).
Although authorized by federal regulations, OIG said that CMS has not conducted any HIPAA compliance reviews of covered entities. To fulfill its oversight responsibilities, the report found that CMS relied on complaints to identify any non-compliant covered entities that it might investigate.
As a result, “CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI [electronic protected health information] was being adequately protected,” OIG said.
Although reliance on complaints alone was ineffective for identifying non-compliant covered entities, OIG noted that CMS has “an effective process” for receiving, categorizing, tracking and resolving complaints. The report said that CMS has developed and implemented detailed procedures for receiving complaints, communicating with filed-against entities, coordinating with the Office for Civil Rights for complaints that potentially violate both the HIPAA security and privacy rules, developing corrective action plans and remediating complaints.
Based on its findings, the OIG said that “CMS needs to become proactive in overseeing and enforcing implementation of the HIPAA Security Rule by focusing on compliance reviews.” The office also recommended that CMS establish policies and procedures for conducting HIPAA compliance reviews of covered entities.
CMS did not agree with the OIG’s findings because it said that “its complaint-driven enforcement process has furthered the goal of voluntary compliance.” However, CMS agreed that compliance reviews are a useful enforcement tool as part of a more comprehensive enforcement strategy that also includes complaint investigation and resolution, outreach, education and working closely with industry to identify and correct security issues, according to the OIG.
Although authorized by federal regulations, OIG said that CMS has not conducted any HIPAA compliance reviews of covered entities. To fulfill its oversight responsibilities, the report found that CMS relied on complaints to identify any non-compliant covered entities that it might investigate.
As a result, “CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI [electronic protected health information] was being adequately protected,” OIG said.
Although reliance on complaints alone was ineffective for identifying non-compliant covered entities, OIG noted that CMS has “an effective process” for receiving, categorizing, tracking and resolving complaints. The report said that CMS has developed and implemented detailed procedures for receiving complaints, communicating with filed-against entities, coordinating with the Office for Civil Rights for complaints that potentially violate both the HIPAA security and privacy rules, developing corrective action plans and remediating complaints.
Based on its findings, the OIG said that “CMS needs to become proactive in overseeing and enforcing implementation of the HIPAA Security Rule by focusing on compliance reviews.” The office also recommended that CMS establish policies and procedures for conducting HIPAA compliance reviews of covered entities.
CMS did not agree with the OIG’s findings because it said that “its complaint-driven enforcement process has furthered the goal of voluntary compliance.” However, CMS agreed that compliance reviews are a useful enforcement tool as part of a more comprehensive enforcement strategy that also includes complaint investigation and resolution, outreach, education and working closely with industry to identify and correct security issues, according to the OIG.