On October 27, 2007, the Office of Inspector General of the U.S. Department of Health and Human Services ("OIG") issued a report on its review of the implementation and enforcement of the HIPAA Security Rule. The report was critical of the "limited actions" taken by the Centers for Medicare & Medicaid Services ("CMS") to "ensure that covered entities adequately implement the HIPAA Security Rule," and stated clearly that the actions taken by CMS to date "had not provided effective oversight or encouraged enforcement" of the HIPAA Security Rule. In particular, the OIG criticized the "complaint-driven process" selected by CMS to enforce the HIPAA Security Rule, because "the significant vulnerabilities [the OIG] identified at hospitals throughout the country would not generally have been identified in … complaints." The report states that "numerous, significant vulnerabilities in the systems and controls intended to protect [electronic protected health information, or "ePHI"] at covered entities" were discovered in the audits conducted by the OIG, and that CMS "had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI was being adequately protected."
Now that CMS has executed a contract to conduct HIPAA Security Rule compliance reviews, we expect the "survey-driven process" to function in much the same way that CMS reviews provider compliance with the Medicare Conditions of Participation. If this does not occur promptly enough to suit the OIG, it would not be a stretch for the OIG to implement another round of audits and to recommend civil money penalties under 45 C.F.R. Section 160.402 for violations of the HIPAA Security Rule. It also would not take much to envision a CMS survey process to address the OIG's concerns under the HIPAA Privacy Rule, as there has been virtually no public enforcement of the HIPAA Privacy Rule during this same time.
You can find the report in full, together with CMS's response, on the Internet at http://oig.hhs.gov/oas/reports/region4/40705064.pdf.