CMS criticized for lax enforcement of HIPAA security rules

Agency officials disputed the OIG findings but agreed to enhance compliance-assurance activities.

By Amy Lynn Sorrel — Posted Nov. 24, 2008

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Tougher enforcement of federal rules for health information security likely is in store following a critical report by the Dept. of Health and Human Services Office of Inspector General.

In an Oct. 27 review, OIG chastised the Centers for Medicare & Medicaid Services for lax oversight of the Health Insurance Portability and Accountability Act's security rule and for taking "limited actions" to urge compliance with the federal statute. The security rule requires covered entities -- such as physicians, hospitals and health plans -- that use electronic protected health information to employ systems to ensure the confidentiality of such data and safeguard them from unauthorized disclosures or security risks. Under HIPAA's privacy rule, covered entities must make sure patient information is not shared with unauthorized parties.

CMS has maintained an effective process for receiving, tracking and resolving outside complaints filed with the agency since it began enforcement of the security rule in 2006, OIG noted. But that system does little to ensure that covered entities are using measures to stop breaches before they occur, the report said. In a national audit of several hospitals, the inspector general found "numerous, significant vulnerabilities in the systems and controls" intended to protect personally identifiable health information.

As of August 2007, CMS "had not implemented proactive compliance reviews and therefore had no effective way to determine whether covered entities were complying with HIPAA security rule provisions. Nor did CMS know how vulnerable [protected health information] was to attack by individuals intent on accessing and misusing" such data, OIG concluded.

Patients' privacy depends on the security of health information, said Deborah C. Peel, MD, founder and chair of the consumer advocacy organization Patient Privacy Rights. "Privacy means you have control of the data, and you can't have privacy as long as these databases are insecure. Even if you have a totally secure system, if you give out a thousand master keys, the security is meaningless."

Dr. Peel said such risks generally would not come to light in a largely complaint-driven process. "People can't complain, because they don't know what is going on in these complex systems," she said, adding that most HIPAA security complaints start out as privacy breaches when patients realize their information was disclosed improperly.

According to the OIG report, the HHS Office for Civil Rights, which enforces the HIPAA privacy rule, received more than 16,000 complaints between 2003 and 2005, whereas CMS took in only 413 security-related complaints during the same period.

The inspector general recommended that CMS establish specific procedures for compliance reviews.

CMS disputes the findings

CMS disagreed with OIG's conclusions, saying its complaint-driven enforcement process has furthered the goal of voluntary compliance.

"What the OIG defines as lax enforcement is very focused on the compliance review area, and we really consider our program to be much more than that," said Anthony Trenkle, director of the CMS Office of E-Health Standards and Services.

CMS consented to implementing the compliance reviews recommended by OIG, he said. But the agency considers them a complementary tool in a comprehensive enforcement strategy that includes complaint investigation, education, and outreach to help physicians and entities identify and correct security issues.

"On one level you could say we've ratcheted [enforcement] up a bit," Trenkle said. "But this has been a high priority and continues to be." CMS completed 10 hospital compliance reviews and has begun developing criteria to initiate audits of a sample of covered entities, including physicians. The agency also is considering partnering with OIG on future compliance reviews, he added.

Given increased awareness of privacy and security risks, physicians can expect heightened enforcement activity, not only around HIPAA, but around other state and federal data protection laws as well, said Barbara Bennett, a HIPAA expert and partner at the law firm Hogan & Hartson LLP in Washington, D.C.

For example, HHS levied the first sanctions against a covered entity in July, when a hospital agreed to a $100,000 settlement for potential privacy violations. The agreement involved cooperation between CMS and the Office for Civil Rights.

HIPAA generally allows states to enact stricter privacy and security requirements than the federal government, Bennett noted. In addition, recent security breaches that led to medical identity theft have generated substantial media coverage and government scrutiny, she said. She pointed to the recent Federal Trade Commission's "red flag" rules requiring physicians to implement a formal identity theft prevention program by May 1, 2009 -- rules that could overlap with HIPAA regulations.

Bennett recommended physicians adopt a privacy and security compliance program in line with state and federal standards and continue to review its effectiveness. Adequate documentation is key, she noted. "Lack of documentation that the organization has made any effort to comply is the fastest road to liability."

Back to top


Looking for breaches

Enforcement of HIPAA privacy and security regulations is largely dependent on complaints about entities suspected of breaking the rules.

Here's what the system produced in 2007:

Privacy rule Security rule
Complaints 7,176 379
Resolved 6,461 (90%) 280 (74%)
Corrective actions 1,484 (21%) 49 (13%)
Most common issues Impermissible uses and disclosures, lack of safeguards, improper access Information access management, access control, security awareness and training

Source: Dept. of Health & Human Services

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn