skip to content
OIG To CMS:  HIPAA Security Rule Oversight And Enforcement Leaves Much To Be Desired

OIG To CMS: HIPAA Security Rule Oversight And Enforcement Leaves Much To Be Desired

Legal HIMformation
(November 2008)

On October 27, 2007, the Office of Inspector General of the U.S. Department of Health and Human Services ("OIG") issued a report on its review of the implementation and enforcement of the HIPAA Security Rule.  The report was critical of the "limited actions" taken by the Centers for Medicare & Medicaid Services ("CMS") to "ensure that covered entities adequately implement the HIPAA Security Rule," and stated clearly that the actions taken by CMS to date "had not provided effective oversight or encouraged enforcement" of the HIPAA Security Rule.  In particular, the OIG criticized the "complaint-driven process" selected by CMS to enforce the HIPAA Security Rule, because "the significant vulnerabilities [the OIG] identified at hospitals throughout the country would not generally have been identified in … complaints."  The report states that "numerous, significant vulnerabilities in the systems and controls intended to protect [electronic protected health information, or "ePHI"] at covered entities" were discovered in the audits conducted by the OIG, and that CMS "had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI was being adequately protected."

Now that CMS has executed a contract to conduct HIPAA Security Rule compliance reviews, we expect the "survey-driven process" to function in much the same way that CMS reviews provider compliance with the Medicare Conditions of Participation.  If this does not occur promptly enough to suit the OIG, it would not be a stretch for the OIG to implement another round of audits and to recommend civil money penalties under 45 C.F.R. Section 160.402 for violations of the HIPAA Security Rule.  It also would not take much to envision a CMS survey process to address the OIG's concerns under the HIPAA Privacy Rule, as there has been virtually no public enforcement of the HIPAA Privacy Rule during this same time.

You can find the report in full, together with CMS's response, on the Internet at

Associated Industries

Each of our lawyer's e-mail address is provided with his or her biography. If you are not a current client of our firm, you should not e-mail our lawyers with any confidential information or any information about a specific legal matter, given that our firm may presently represent persons or companies who have interests that are adverse to you. If you are not a current client and you e-mail any lawyer in our firm, you do so without any expectation of confidentiality. We will not establish a professional relationship with you via e-mail. Instead, you should contact our firm by telephone so that we can determine whether we are in a position to consult with you about any legal matters before you share any confidential or sensitive information with us.