FierceHealthcareFierceHealthITFierceHealthFinanceHospital Impact   FierceCIOFierceMobileITFierceSarbox

HHS blasts CMS's HIPAA enforcement program

November 2, 2008 — 12:45am ET | By Anne Zieger
Tools
Tags
vulnerabilities
Security Systems
Security Audit
security
patient data
Hospital Security
HIPAA Security Rule
Health Consumers
CMS
Audits

A new report from the HHS Inspector General's has ripped into CMS for doing a bad job of enforcing the HIPAA security rule. In its own investigation, the IG found that when it conducted its own audits of hospital security systems, it found many significant vulnerabilities that could put patient data "at risk high."

Ordinarily, CMS is supposed to be conducting such audits itself, the IG noted. In fact, CMS hasn't done a single security audit since the rule went into effect on Feb. 16, 2006, the IG said.

The IG concedes that CMS has done a good job of setting up mechanisms to receive complaints from the public about security issues, and has also followed up effectively to address the problems brought up in the complaints. But that method alone doesn't do much to protect the nation's health consumers. After all, to date, CMS has received a grand total of 200 complaints since it began accepting them, an infinitesimal number given the number of facilities being regulated.

It seems likely that CMS will have to ramp up its HIPAA security enforcement efforts substantially over the next 12 months. Otherwise, I think that this report could trigger some very unfavorable scrutiny in Congress, particularly once a new administration is in place and everyone's trying to prove they're on top of things.

To learn more about the report:
- read this Modern Healthcare report

Related Articles:
Providers, states still struggle with HIPAA
HIPAA compliance nears adolescence
HIPAA standards move forward
Seattle system will pay $100K HIPAA fine after repeated breaches

Comments (2) | Post a comment

Comments

By Darrell Pruitt | Posted 10:06am | November 3, 2008

Almost a year ago I became interested in measuring the level of HIPAA compliance among dentists in the nation, so I performed an informal survey as a pilot study to see how well dentists are following the Rule. The results were posted on “The Executive-Post” in September. (I tried to provide a link but was prevented from doing so by this website. One can find the article by googlesearching “Darrell Pruitt, HIPAA study.” It is the first hit.)

Here is the abstract:
-----------------
A Survey of Dentists [Pilot Study]
By Darrell Pruitt; DDS

A survey of 18 dentists was performed using the Internet as a platform. The volunteer dentists’ anonymity was guaranteed. The dentists were presented with ten HIPAA compliancy requirements followed by a series of questions concerning their compliancy as well as the importance of the requirements in dental practices.

The range of compliancy was found to be from 0% for the requirement of a written workstation policy to 88% for that of password security. The average was 49%, meaning that less than half of the requirements are being respected by the dentists in this sample.

Frustration with the tenets of the mandate, as well as open defiance is evident by the written responses. In addition, it appears that a dentist’s likelihood of satisfying a requirement is related to the dentist’s perceived importance of the requirement.

Even though this is a limited pilot study, there is convincing evidence that more thorough investigation concerning the cost and benefits of the requirements need to be performed before enforcement of the HIPAA mandate is considered for the nation’s dental practices.
------------------------
What would happen if it were discovered that HIPAA is the grandest fraudulent scheme ever - and it is still being perpetrated by entrepreneurs, bureaucrats and politicians for selfish gain? Would the nation’s leaders admit to a dozen years of egregious folly? Not before tomorrow. Darrell K. Pruitt DDS

By Anonymous | Posted 3:02pm | November 3, 2008

This is precisely why so many of us DON'T wish to give our SSN on medical records, as a password for insurance, etc. And why we DON'T want a National ID. We can't trust companies to protect our personal information and are certainly even less trusting of our understaffed and underfunded government agencies. More and more of us are becoming identity theft victims which is one horrific personal nightmare. HIPAA needs to work!

Post new comment

The content of this field is kept private and will not be shown publicly.

More information about formatting options

What is 59 + 40?
To combat spam, please solve the math question above.