By Anna Kraus

In a previous post, we highlighted two reports recently issued by Department of Health and Human Services (HHS) Office of Inspector General (OIG), which criticize HHS’s oversight of health information privacy and security.  In today’s post, we provide greater detail regarding one of those reports (Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight).  We will delve into the second report in a forthcoming post.

The OIG’s Nationwide Rollup Review found that oversight by the Centers for Medicare & Medicaid Services (CMS) had been insufficient to ensure that hospitals and other covered entities have effectively implemented the HIPAA Security Rule.  Specifically, the OIG noted that although CMS had performed a limited number of covered entity compliance reviews, these reviews tended to be reactive rather than proactive.  According to the OIG, CMS relied primarily on education efforts and voluntary compliance to enforce the Security Rule rather than developing a structured compliance review process.

CMS was initially delegated authority to enforce compliance with the Security Rule in 2003 and published a final Security Rule that year.  Enforcement authority was subsequently transferred to the HHS Office for Civil Rights (OCR) in 2009.  OCR reports that it has a process in place to conduct proactive compliance reviews even in the absence of specific complaints.  However, the OIG appeared to question this assertion, stating that OCR had not produced evidence of reviews targeted at entities which had not been specifically flagged for scrutiny.  The OIG concluded by recommending that OCR continue the compliance review process begun by CMS and ensure that it provides for reviews in the absence of complaints.

The Security Rule implements certain HIPAA Administrative Simplification provisions and requires covered entities transmitting electronic protected health information (ePHI) to ensure its confidentiality, integrity, and availability while protecting against reasonably anticipated security risks and unauthorized uses or disclosures.  In addition to issuing the final Security Rule, CMS released guidance to covered entities regarding compliance.

In 2008, the OIG audited CMS’s enforcement of the Security Rule and found that the agency had taken only limited steps to enforce it.  At the time, CMS had not conducted compliance reviews or established policies for conducting such reviews of covered entities.  Instead, the agency relied primarily on guidance to covered entities and voluntary compliance.  The OIG’s 2008 audit recommended that CMS establish a compliance review process to ensure compliance by covered entities.  CMS subsequently conducted compliance reviews of ten covered entities identified through filed complaints, media scrutiny, or OCR recommendations for review.  In 2009, CMS scheduled six additional compliance reviews which were not limited to entities against which complaints had been filed.  Subsequently, authority to enforce the Security Rule, conduct compliance reviews, investigate and resolve complaints, and impose civil monetary penalties (CMPs) was delegated to OCR.

For purposes of the Nationwide Rollup Review, the OIG audited seven hospitals and found 151 vulnerabilities of which 124 were considered “high impact,” meaning that they could result in the “highly costly loss of major tangible assets or resources; . . . significantly violate, harm, or impede an organization’s mission, reputation, or interest; or . . . result in human death or serious injury.”  All hospitals audited had implemented some policies to protect ePHI.  However, none had adequately implemented the provisions of the Security Rule.  The most common high impact vulnerabilities identified were technical in nature and affected areas such as access and integrity controls, wireless access, and transmission security.  Physical and administrative vulnerabilities were also present, including facility access control, contingency planning issues, and workforce security.

Based on its findings, the OIG has recommended that OCR continue to conduct compliance reviews, as initiated by CMS, and establish policies for conducting future reviews to foster compliance with the Security Rule.  In responding to the OIG draft report, OCR did not comment on specific findings, but stated that it had considered OIG’s recommendations, that it had a process for conducting proactive compliance reviews, and that it had opened reviews in response to the OIG audit and in cases where security breaches affected 500 or more individuals.  OCR also noted that it has developed covered entity corrective action plans for vulnerabilities identified by the OIG and it urged caution in extrapolating conclusions about Security Rule compliance from a small audit sample size.  The OIG responded to OCR’s comments by noting that OCR had provided evidence only of compliance reviews initiated in response to the OIG hospital audits and not of compliance reviews being performed more broadly.

Given that adequate security controls are critical in fostering trust and widespread use of health information technology, the OIG report could spur OCR to increase compliance reviews of covered entities.  OIG’s criticism of the reactive nature of the reviews to date is likely to lead OCR to focus on proactive reviews not linked to specific complaints.