On April 19, 2019, the Department of Health and Human Services (HHS) announced a 30-day extension, until June 3, 2019, to the comment period for two rules proposed by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC).

The CMS proposed rule aims to

By Anna Kraus

In a previous post, we highlighted two reports recently issued by Department of Health and Human Services (HHS) Office of Inspector General (OIG), which criticize HHS’s oversight of health information privacy and security.  In today’s post, we provide greater detail regarding one of those reports (Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight).  We will delve into the second report in a forthcoming post.

The OIG’s Nationwide Rollup Review found that oversight by the Centers for Medicare & Medicaid Services (CMS) had been insufficient to ensure that hospitals and other covered entities have effectively implemented the HIPAA Security Rule.  Specifically, the OIG noted that although CMS had performed a limited number of covered entity compliance reviews, these reviews tended to be reactive rather than proactive.  According to the OIG, CMS relied primarily on education efforts and voluntary compliance to enforce the Security Rule rather than developing a structured compliance review process.

CMS was initially delegated authority to enforce compliance with the Security Rule in 2003 and published a final Security Rule that year.  Enforcement authority was subsequently transferred to the HHS Office for Civil Rights (OCR) in 2009.  OCR reports that it has a process in place to conduct proactive compliance reviews even in the absence of specific complaints.  However, the OIG appeared to question this assertion, stating that OCR had not produced evidence of reviews targeted at entities which had not been specifically flagged for scrutiny.  The OIG concluded by recommending that OCR continue the compliance review process begun by CMS and ensure that it provides for reviews in the absence of complaints.

Continue Reading OIG Finds CMS Oversight of the HIPAA Security Rule Insufficient to Ensure Covered Entity Compliance