Medicare Compliance & Reimbursement

HIPAA:

OIG Wants CMS To Better Enforce Medical Security

The agency falls short in its oversight and enforcement, OIG reports.

Authorities may not have been slamming providers for HIPAA violations lately, but that does not mean you can get lax about compliance with the privacy law --" more compliance reviews are likely on the way.

The HHS Office of Inspector General criticizes the Centers for Medicare & Medicaid Services' effectiveness of "oversight and enforcement of covered entities' implementation of the HIPAA Security Rule," according to a recent report.

The Health Insurance Portability and Accountability Act defines mandatory national standards to protect the confidentiality and integrity of electronic Protected Health Information while it is being stored or transmitted between entities. In the report, the OIG takes CMS to task for relying on complaints to identify noncompliant covered entities for investigation.

The result: "CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI was being adequately protected," the OIG says.

But it's not as if CMS isn't doing anything right. The OIG praises CMS for having an "effective process for receiving, categorizing, tracking, and resolving complaints." But the report points out that OIG audits of various hospitals nationwide showed that CMS needs to do much more in ensuring implementation of the HIPAA Security Rule by using compliance reviews, among other measures. The OIG points to "numerous, significant vulnerabilities in the systems and controls intended to protect ePHI at covered entities."

On the positive side, the OIG says CMS has begun taking steps to conduct compliance reviews.

CMS disagrees with the OIG by stressing its belief that its "complaint-driven enforcement process" has been very effective, particularly in promoting healthcare providers' "voluntary compliance."

But CMS agrees that compliance reviews are useful as part of a broad-spectrum enforcement strategy that would include "complaint investigation and resolution, outreach, and education." CMS's enforcement of HIPAA compliance has still encouraged providers to "voluntarily" comply, but the OIG also points to significant vulnerabilities in providers across the nation that would have fallen under the radar in complaints.

Beware: Be prepared for more compliance reviews from CMS in the coming months and years, experts predict.Home health is an area particularly vulnerable to HIPAA risks. A health system was slapped with the first HIPAA settlement, which totaled six figures, this year for HIPAA infractions in its home care program.

Note: The report is at http://oig.hhs.gov/oas/reports/region4/40705064.asp.