By Anna Kraus

Last week, the Office of Inspector General (OIG) within the Department of Health and Human Services (HHS) issued two audit reports regarding federally mandated data security measures for health information.  Both reports are highly critical of HHS’s efforts to protect the security of electronic health information.

In the first report, available here, the OIG concluded that the Centers for Medicare and Medicaid Services’ (CMS) oversight of the HIPAA Security Rule was insufficient.  Specifically, the OIG concluded that CMS’s oversight and enforcement activities did not adequately ensure that covered entities, such as hospitals, effectively implemented the Security Rule.  CMS consequently had limited assurance that controls were in place to protect electronic protected health information (ePHI), the OIG concluded, thereby “leaving ePHI vulnerable to attack and compromise.”

In the second report, available here, the OIG found that the health information technology (HIT) standards issued by the Office of the National Coordinator for Health Information Technology (ONC) lacked general IT security controls.  Examples of general IT security controls include:

  • encrypting data stored on mobile devices
  • requiring two-factor authentication when remotely accessing an HIT system
  • patching the operating systems of computer systems that process and store EHR

The OIG concluded that the lack of these controls raises concern about the effectiveness of IT security for HIT.

The OIG audit findings suggest that we may be seeing heightened enforcement activities related to the HIPAA Security Rule and more stringent security controls for electronic health records.  In future posts, we will delve into the OIG’s specific findings and recommendations.