HHS blasts CMS's HIPAA enforcement program

November 1, 2008 — 11:45pm ET | By Anne Zieger

Tools

Tags
CMS
patient data
vulnerabilities
security
Audits
HIPAA Security Rule
Hospital Security
Health Consumers
Security Systems
Security Audit

A new report from the HHS Inspector General's has ripped into CMS for doing a bad job of enforcing the HIPAA security rule. In its own investigation, the IG found that when it conducted its own audits of hospital security systems, it found many significant vulnerabilities that could put patient data "at risk high."

Ordinarily, CMS is supposed to be conducting such audits itself, the IG noted. In fact, CMS hasn't done a single security audit since the rule went into effect on Feb. 16, 2006, the IG said.

The IG concedes that CMS has done a good job of setting up mechanisms to receive complaints from the public about security issues, and has also followed up effectively to address the problems brought up in the complaints. But that method alone doesn't do much to protect the nation's health consumers. After all, to date, CMS has received a grand total of 200 complaints since it began accepting them, an infinitesimal number given the number of facilities being regulated.

It seems likely that CMS will have to ramp up its HIPAA security enforcement efforts substantially over the next 12 months. Otherwise, I think that this report could trigger some very unfavorable scrutiny in Congress, particularly once a new administration is in place and everyone's trying to prove they're on top of things.

To learn more about the report:
- read this Modern Healthcare report

Related Articles:
Providers, states still struggle with HIPAA
HIPAA compliance nears adolescence
HIPAA standards move forward
Seattle system will pay $100K HIPAA fine after repeated breaches