The agency falls short in its oversight and enforcement, OIG reports. The HHS Office of Inspector General criticizes the Centers for Medicare & Medicaid Services' effectiveness of "oversight and enforcement of covered entities' implementation of the HIPAA Security Rule," according to a recent report. The Health Insurance Portability and Accountability Act defines mandatory national standards to protect the confidentiality and integrity of electronic Protected Health Information while it is being stored or transmitted between entities. In the report, the OIG takes CMS to task for relying on complaints to identify noncompliant covered entities for investigation. The result: "CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that ePHI was being adequately protected," the OIG says. But it's not as if CMS isn't doing anything right. The OIG praises CMS for having an "effective process for receiving, categorizing, tracking, and resolving complaints." But the report points out that OIG audits of various hospitals nationwide showed that CMS needs to do much more in ensuring implementation of the HIPAA Security Rule by using compliance reviews, among other measures. The OIG points to "numerous, significant vulnerabilities in the systems and controls intended to protect ePHI at covered entities." On the positive side, the OIG says CMS has begun taking steps to conduct compliance reviews. CMS disagrees with the OIG by stressing its belief that its "complaint-driven enforcement process" has been very effective, particularly in promoting healthcare providers' "voluntary compliance." But CMS agrees that compliance reviews are useful as part of a broad-spectrum enforcement strategy that would include "complaint investigation and resolution, outreach, and education." CMS's enforcement of HIPAA compliance has still encouraged providers to "voluntarily" comply, but the OIG also points to significant vulnerabilities in providers across the nation that would have fallen under the radar in complaints. Beware: Note: