The Sky Is Falling: Reports Criticize Health IT Security Standards and Enforcement

by Bruce Merlin Fried

Earlier this year, HHS' Office of Inspector General issued two reports -- the Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight ("Nationwide Review of CMS' HIPAA Oversight") and the Audit of Information Technology Security Included in Health Information Technology Standards ("Audit of Health IT Security") -- that the office said "raise significant concerns about the security of electronic patient health information." 

In reviewing these two reports, perhaps what troubles us most is that one of the reports -- the Audit of Health IT Security -- relies on the findings of the other report -- the Nationwide Review of CMS' HIPAA Oversight -- that are dated and do not take into account key statutory requirements under the HITECH Act and the Office for Civil Rights' reported actions on those requirements.

Specifically, the focus of the Nationwide Review of CMS' HIPAA Oversight is exactly what the title implies -- CMS' oversight of HIPAA security rule compliance, or the lack thereof, as the report finds. Given HHS-OIG's similar October 2008 report criticizing CMS' lack of oversight and enforcement of the HIPAA security rule, as well as the lack of rigorous enforcement by CMS immediately following that report, we do not think that many people were surprised by these more recent HHS-OIG findings. That is, it came as little surprise to hear that CMS did not rigorously oversee or enforce the HIPAA security rule.

Although there certainly are other reasons why transferring oversight of the HIPAA security rule to OCR made sense in 2009 (e.g., efficiencies of having one group investigating and enforcing matters that are as closely related as privacy and security), some have wondered whether part of that decision was based on CMS' lack of oversight and enforcement as identified in the 2008 report. Therefore, it is of little value to identify the lack of enforcement by CMS, an agency that no longer has oversight and enforcement responsibilities in this space.

HHS-OIG attempts to address the new OCR oversight regime by criticizing its enforcement almost as an afterthought, but what HHS-OIG did not seem to take into account is that the ultimate recommendations in the Nationwide Review of CMS' HIPAA Oversight do little more than propose what OCR is required to do under the HITECH Act. That is, OCR already is statutorily required by the HITECH Act to conduct periodic audits to ensure that covered entities and business associates are complying with the HIPAA privacy and security rules.

OCR made statements around the same time that the two most recent reports were published that it had performed a study on the range of models for conducting HIPAA security audits and was in the process of engaging a contractor to pilot an audit based on one of those models. OCR subsequently awarded such a contract for HIPAA audits to KPMG. The HHS-OIG report did not appear to take this into account. There appears to us to be little value in making a recommendation to OCR that mirrors a statutory obligation that already exists, especially when OCR already had stated that it was in the process of complying with that statutory obligation.

In addition, the Nationwide Review of CMS' HIPAA Oversight's conclusion that there is insufficient oversight of compliance with the HIPAA security rule comes at a time when there has been more oversight and enforcement in the last year than there has been for the last 10 years, making the report seem dated and less reliable.

As such, we find it difficult to agree with the Audit of Health IT Security's findings that the meaningful use rule and electronic health record certification rule requirements to conduct a HIPAA security rule risk assessment and address identified vulnerabilities are insufficient general IT security controls for health IT.

In reaching this conclusion, HHS-OIG comes close to dismissing the HIPAA security rule's sufficiency to impose general health IT security controls because HHS-OIG believes that there is little to no oversight of compliance with the HIPAA security rule. In both reports, it seems HHS-OIG either ignores or dismisses current statutory or regulatory obligations, as well as the actions taken both by OCR and the covered entity community to enforce and comply with these requirements, respectively.

to share your thoughts on this article.