Hospitals Fail to Adequately Protect Electronic Patient Data

June 9, 2011, 11:01 AM

The Office of Inspector General (OIG) stated that Centers for Medicare & Medicaid Services (CMS) oversight and enforcement actions for Health Insurance Portability and Accountability Act (HIPAA) Covered Entities are not sufficient to ensure compliance with the HIPAA Security Rule. One purpose of the Security Rule is to ensure that electronic patient health information sent between entities is secure from attack or compromise. The OIG audited seven hospitals throughout the nation and found 151 vulnerabilities in systems and controls, 124 of which were identified as high impact. Such vulnerabilities could allow outsiders or hospital employees to access patient information without the hospitals knowledge. Although each of the seven hospitals had implemented some security measures, none had complied with the administrative, technical, and physical safeguards of the Security Rule.

As a result, the OIG recommended that the Health and Human Services Office for Civil Rights (OCR) take over the compliance audits that CMS began in 2009, however never implemented. Currently, the OCR only responds to reported security complaints or breaches. If the OCR follows the OIG recommendation, the OCR would begin to conduct compliance reviews to ensure that hospitals properly implement and maintain security systems to protect patient data.

Further, the OIG encouraged OCR to coordinate its technological security efforts with CMS, as well as Office of the National Coordinator for Health Information Technology (ONC). The OIG opined that the combined efforts of organizations would lead healthcare entities to greatly improve information technology security. For more information, click http://oig.hhs.gov/oas/reports/other/180930160.pdf and http://oig.hhs.gov/oas/reports/region4/40805069.pdf. --Aaron J. Ambrose