Audit Reports from HHS OIG

HHS OIG released two audit reports

Established in 1976, the Health and Human Services (HHS) Office of the Inspector General (OIG) fights waste, fraud and abuse to over 300 HHS programs including Medicare, Medicaid, CDC, NIH, and FDA. They are currently the largest OIG office in the Federal Government employing 1700 people. Through nationwide audits, investigations, and evaluations this OIG reports and recommends to the department and its programs.

On May 16, the HHS OIG released two audit reports focusing on security of patient health information. The first, Audit of Information Technology Security Included in Health Information Technology Standards reports on the ONC. The audit reviewed the current Final Rule for security controls. The second, Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight reports on CMS. They audited 7 hospitals for vulnerabilities in systems and their controls to protect ePHI.

In the ONC report it was found that the ONC and Standards Final Rule focuses on security of interoperability and exchanging encrypted information between EHRs. They site that there are no HIT standards that include general IT security controls. They define these security controls as the “structure, policies, and procedures that apply to an entity’s overall computer operations, ensure the proper operation of information systems, and create a secure environment for application systems and controls.”  The report recommends which the ONC concurs with:

  1. Broaden its focus from interoperability specifications to also include well-developed general IT security controls for supporting systems, networks, and infrastructures;
  2. use its leadership role to provide guidance to the health industry on established general IT security standards and IT industry security best practices;
  3. emphasize to the medical community the importance of general IT security; and
  4. coordinate its work with the Centers for Medicare & Medicaid Services and the Department’s Office for Civil Rights to add general IT security controls where applicable.

In the CMS report the audit found 151 vulnerabilities of secure ePHI in the 7 hospitals including open access to records without the hospital’s knowledge. It was found that CMS oversight and enforcement was not sufficient to ensure the covered entity has effectively implemented the HIPAA Security Rule. The report recommends that the Department’s Office for Civil Rights (OCR) continue the compliance review process that CMS began in 2009 and implement procedures for conducting compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities. The OCR defends that it maintains a process for initiating covered entity compliance reviews through complaints or on its own.