The U.S. Department of Health & Human Services Office of Inspector General (OIG) has found that the Centers for Medicare & Medicaid Services (CMS) has taken limited actions to ensure adequate implementation of the Health Insurance Portability and Accountability Act of 1996 Security Rule. The HIPAA Security Rule requires an entity such as a health plan or healthcare provider that transmits any health information in electronic form to ensure the integrity and confidentiality of the information, protect against any reasonably anticipated threats or risks to the security or integrity of the information, and protect against unauthorized uses or disclosures of the information.
CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that electronic protected health information was being adequately protected. The OIG noted that CMS had an effective process for receiving, categorizing, tracking, and resolving complaints.
CMS did not agree with OIG’s findings because it believed that its complaint-driven enforcement process has furthered the goal of voluntary compliance. However, CMS agreed with OIG’s recommendation to establish specific policies and procedures for conducting compliance reviews of covered entities. OIG maintains that adding these reviews to its oversight process will enhance CMS's ability to determine whether the HIPAA Security Rule is being properly implemented.
