CMS criticized for lax enforcement of HIPAA security rules
■ Agency officials disputed the OIG findings but agreed to enhance compliance-assurance activities.
By Amy Lynn Sorrel — Posted Nov. 24, 2008
Tougher enforcement of federal rules for health information security likely is in store following a critical report by the Dept. of Health and Human Services Office of Inspector General.
In an Oct. 27 review, OIG chastised the Centers for Medicare & Medicaid Services for lax oversight of the Health Insurance Portability and Accountability Act's security rule and for taking "limited actions" to urge compliance with the federal statute. The security rule requires covered entities -- such as physicians, hospitals and health plans -- that use electronic protected health information to employ systems to ensure the confidentiality of such data and safeguard them from unauthorized disclosures or security risks. Under HIPAA's privacy rule, covered entities must make sure patient information is not shared with unauthorized parties.
CMS has maintained an effective process for receiving, tracking and resolving outside complaints filed with the agency since it began enforcement of the security rule in 2006, OIG noted. But that system does little to ensure that covered entities are using measures to stop breaches before they occur, the report said. In a national audit of several hospitals, the inspector general found "numerous, significant vulnerabilities in the systems and controls" intended to protect personally identifiable health information.
As of August 2007, CMS "had not implemented proactive compliance reviews and therefore had no effective way to determine whether covered entities were complying with HIPAA security rule provisions. Nor did CMS know how vulnerable [protected health information] was to attack by individuals intent on accessing and misusing" such data, OIG concluded.
Patients' privacy depends on the security of health information, said Deborah C. Peel, MD, founder and chair of the consumer advocacy organization Patient Privacy Rights. "Privacy means you have control of the data, and you can't have privacy as long as these databases are insecure. Even if you have a totally secure system, if you give out a thousand master keys, the security is meaningless."
Dr. Peel said such risks generally would not come to light in a largely complaint-driven process. "People can't complain, because they don't know what is going on in these complex systems," she said, adding that most HIPAA security complaints start out as privacy breaches when patients realize their information was disclosed improperly.
According to the OIG report, the HHS Office for Civil Rights, which enforces the HIPAA privacy rule, received more than 16,000 complaints between 2003 and 2005, whereas CMS took in only 413 security-related complaints during the same period.
The inspector general recommended that CMS establish specific procedures for compliance reviews.
CMS disputes the findings
CMS disagreed with OIG's conclusions, saying its complaint-driven enforcement process has furthered the goal of voluntary compliance.
"What the OIG defines as lax enforcement is very focused on the compliance review area, and we really consider our program to be much more than that," said Anthony Trenkle, director of the CMS Office of E-Health Standards and Services.
CMS consented to implementing the compliance reviews recommended by OIG, he said. But the agency considers them a complementary tool in a comprehensive enforcement strategy that includes complaint investigation, education, and outreach to help physicians and entities identify and correct security issues.
"On one level you could say we've ratcheted [enforcement] up a bit," Trenkle said. "But this has been a high priority and continues to be." CMS completed 10 hospital compliance reviews and has begun developing criteria to initiate audits of a sample of covered entities, including physicians. The agency also is considering partnering with OIG on future compliance reviews, he added.
Given increased awareness of privacy and security risks, physicians can expect heightened enforcement activity, not only around HIPAA, but around other state and federal data protection laws as well, said Barbara Bennett, a HIPAA expert and partner at the law firm Hogan & Hartson LLP in Washington, D.C.
For example, HHS levied the first sanctions against a covered entity in July, when a hospital agreed to a $100,000 settlement for potential privacy violations. The agreement involved cooperation between CMS and the Office for Civil Rights.
HIPAA generally allows states to enact stricter privacy and security requirements than the federal government, Bennett noted. In addition, recent security breaches that led to medical identity theft have generated substantial media coverage and government scrutiny, she said. She pointed to the recent Federal Trade Commission's "red flag" rules requiring physicians to implement a formal identity theft prevention program by May 1, 2009 -- rules that could overlap with HIPAA regulations.
Bennett recommended physicians adopt a privacy and security compliance program in line with state and federal standards and continue to review its effectiveness. Adequate documentation is key, she noted. "Lack of documentation that the organization has made any effort to comply is the fastest road to liability."