On May 16, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued two reports critical of the HHS’ efforts to ensure the security of electronic health information. The first report criticized the Centers for Medicare & Medicaid Services (CMS) for its prior oversight of the HIPAA Security Rule. The second report criticized the Office of the National Coordinator for Health Information Technology (ONC) for insufficiently building security into the requirements for certified electronic health records.

These reports demonstrate that there is significant pressure on ONC, the Office for Civil Rights (OCR), and CMS to build more stringent security controls into health information technology (IT) systems, and that a number of specific vulnerabilities have been highlighted. Covered entities and business associates may be well served to use these reports to proactively assess their own systems for these high-impact vulnerabilities. We provide a vulnerability checklist at the end of this alert to assist organizations in conducting their own risk analyses.

OIG criticizes lack of government oversight

Privacy advocates, the HIT Policy Committee’s Privacy and Security Tiger Team, and members of Congress already have expressed concern with HHS over a perceived lack of emphasis on health information security. These two reports add another voice, this time from HHS’ own watchdog, to this chorus. They also provide the health care community with information about potential vulnerabilities and raise the probability of heightened HIPAA security enforcement (such as through the upcoming audit program) and more stringent security requirements for electronic health records.'

The OIG’s report on oversight of the HIPAA Security Rule concluded that CMS’ oversight and enforcement actions were insufficient to ensure that covered entities, such as hospitals, physician practices, and health plans, effectively implemented the Security Rule, leaving electronic protected health information (ePHI) vulnerable to attack and compromise.

After auditing seven hospitals located across the country, the OIG identified 151 vulnerabilities in systems and controls intended to protect ePHI, of which the OIG categorized 124 vulnerabilities as high impact. The identified high-impact vulnerabilities included problems with technical safeguards (wireless network access, access control, audit control, integrity control, authentication, and transmission security), physical safeguards (facility access and device and media control), and administrative safeguards (security management, workforce security, security incident procedures, and contingency planning).

OIG calls for proactive compliance audits

The OIG’s recommendation is for OCR, which now has authority for enforcement of the Security Rule, to continue CMS’ most recent efforts by conducting proactive compliance reviews (rather than launching investigations based only on complaints or media reports). The OIG’s recommendation also is consistent with the mandate for proactive audits under the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). OCR is in the process of launching an audit program pursuant to a requirement of the HITECH Act. Based on recent OCR statements, a pilot audit program is expected later this year. The OIG recommendation begs the question of whether the vulnerabilities identified by the OIG will be included in OCR’s upcoming audit efforts.