On April 19, 2019, the Department of Health and Human Services (HHS) announced a 30-day extension, until June 3, 2019, to the comment period for two rules proposed by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC).
CMS
OIG Finds CMS Oversight of the HIPAA Security Rule Insufficient to Ensure Covered Entity Compliance
By Anna Kraus
In a previous post, we highlighted two reports recently issued by Department of Health and Human Services (HHS) Office of Inspector General (OIG), which criticize HHS’s oversight of health information privacy and security. In today’s post, we provide greater detail regarding one of those reports (Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight). We will delve into the second report in a forthcoming post.
The OIG’s Nationwide Rollup Review found that oversight by the Centers for Medicare & Medicaid Services (CMS) had been insufficient to ensure that hospitals and other covered entities have effectively implemented the HIPAA Security Rule. Specifically, the OIG noted that although CMS had performed a limited number of covered entity compliance reviews, these reviews tended to be reactive rather than proactive. According to the OIG, CMS relied primarily on education efforts and voluntary compliance to enforce the Security Rule rather than developing a structured compliance review process.
CMS was initially delegated authority to enforce compliance with the Security Rule in 2003 and published a final Security Rule that year. Enforcement authority was subsequently transferred to the HHS Office for Civil Rights (OCR) in 2009. OCR reports that it has a process in place to conduct proactive compliance reviews even in the absence of specific complaints. However, the OIG appeared to question this assertion, stating that OCR had not produced evidence of reviews targeted at entities which had not been specifically flagged for scrutiny. The OIG concluded by recommending that OCR continue the compliance review process begun by CMS and ensure that it provides for reviews in the absence of complaints.Continue Reading OIG Finds CMS Oversight of the HIPAA Security Rule Insufficient to Ensure Covered Entity Compliance
Covington to Participate in Healthcare Privacy Panel
Next week, IAPP hosts its annual Global Privacy Summit in Washington, D.C. Inside Privacy will be attending the event, which has attracted a number of significant stakeholders in years past and will provide a good opportunity to take the temperature of stakeholders on key privacy and data security issues.
Those who are…
Continue Reading Covington to Participate in Healthcare Privacy Panel
Notions of Health Privacy as a Function of Technology, Law and Policy
The International Association of Privacy Professionals hosts its Global Privacy Summit in Washington, DC on March 9-11. Those who are interested in health privacy may be especially interested in the following session on March 11 from 11:45 am to 12:45 pm:
Notions of Health Privacy as a Function of Technology, …
Continue Reading Notions of Health Privacy as a Function of Technology, Law and Policy