On May 16, 2011, the Department of Health & Human Services (HHS) Office of Inspector General (OIG) released an audit report discussing vulnerabilities in the policies and procedures used by Covered Entities to safeguard the confidentiality, integrity, and availability of electronic protected health information (ePHI). The report is intended to assess the sufficiency of the Centers for Medicare & Medicaid Services (CMS)’ oversight of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The OIG’s report, which discusses specific compliance issues discovered at the Covered Entities that were audited, offers insight into what is required to successfully implement the technical, administrative, and physical safeguards mandated under the Security Rule.
The report should also help Business Associates of Covered Entities in understanding the obligations to which they will soon be subject under the Security Rule, as a result of changes from 2009’s Health Information Technology for Economic and Clinical Health Act (HITECH). Regulations proposed last summer (73 Fed. Reg. 40868, Jul. 14, 2010) implementing the Security Rule’s application to Business Associates have not yet been finalized. Given the complexity of complying with the Security Rule, many organizations—historically regulated only through Business Associate Agreements with Covered Entities—are struggling to understand what implementing the safeguards required under the Security Rule truly means.
The OIG’s report is based on an audit of hospitals it conducted to evaluate the effectiveness of their efforts to comply with the Security Rule. The report identifies numerous internal control weaknesses at the hospitals and concludes that the Office for Civil Rights (OCR) should engage in enhanced oversight of compliance with the Security Rule.
At the hospitals audited, the OIG identified 151 vulnerabilities in the systems and controls intended to protect ePHI. Of these vulnerabilities, 124 were categorized as high impact, meaning that they may result in the costly loss of major tangible assets, may significantly violate or harm an organization’s mission, or may result in serious injury or human death. The weaknesses identified at the hospitals included:
The OIG concluded that oversight and enforcement have been insufficient as a means of ensuring that Covered Entities comply with the Security Rule. With increased penalties for noncompliance and greater public awareness about HIPAA, oversight of Covered Entities and Business Associates’ compliance will continue to be an area of focus for regulators. Meanwhile, HHS has not yet indicated when the proposed HITECH regulations will be finalized.
HIPAA and HITECH issues will be a key topic at Gray Plant Mooty’s 15th Annual Health Law Conference, to be held July 14, 2011, at the Earle Brown Heritage Center in Brooklyn Center, Minnesota. This event is free. An invitation and registration information will follow in June. If you have any questions, please contact firstname.lastname@example.org.
If you have questions about the OIG report or the HIPAA Security Rule, please contact Jesse Berg at 612.632.3374 or email@example.com.
This article is provided for general informational purposes only and should not be construed as legal advice or legal opinion on any specific facts or circumstances. You are urged to consult a lawyer concerning any specific legal questions you may have.
Gray Plant Mooty is recognized as one of the leading corporate law firms in Minnesota and one of the top franchise firms in the world. Our roots go back to 1866. Today, we are a 180-plus attorney, full-service firm with offices in Minneapolis and St. Cloud, Minnesota; Washington, D.C.; and Fargo, North Dakota.