By Anna Kraus & Rachel Grunberger
As we reported previously, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) recently issued two reports that highlight continuing concerns over how best to ensure the privacy and security of electronic health information. Earlier this week, we provided more detail on the OIG’s report regarding CMS oversight of the HIPAA Security Rule.
On May 16, 2011 the OIG released a second report relating to federal data security standards, Audit of Information Technology Security Included in Health Information Technology Standards. In this report, the OIG expressed concern that federal health information technology (HIT) standards do not include general information technology (IT) security controls. Instead, HIT standards focus primarily on application controls which apply within an IT system and can be circumvented in the absence of strong general security controls. The audit recommended that that the Office of the National Coordinator for Health Information Technology (ONC) take the following steps:
- Include general security controls in HIT standards;
- Provide guidance to the health industry and the medical community regarding the value of general IT security as well as general IT security standards and best practices; and
- Cooperate with the Centers for Medicare & Medicaid Services (CMS) and the HHS Office for Civil Rights (OCR) to require general IT security controls where appropriate.