The U.S. Department of Health and Human Services Office of the Inspector General issued two reports yesterday criticizing the Centers for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator for Health IT (“ONC”) for doing too little to protect the security of patient health information. The first report, Nationwide Rollup Review of the Centers for Medicare & Medicaid Services HIPAA Oversight, found that CMS oversight and enforcement "were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Security Rule."
The second report, Audit of Information Technology Security Included in Health Information Technology Standards, took ONC to task for failing to include requirements for adequate IT security controls in its requirements for health care providers to qualify for incentive payments to adopt electronic health records under the “meaningful use” program. The report recommends that ONC: (1) broaden its focus to include well-developed general IT security controls for supporting systems, networks, and infrastructures; (2) use its leadership role to provide guidance to the health industry on established general IT security standards and IT industry security best practices; (3) emphasize to the medical community the importance of general IT security; and (4) coordinate its work with CMS and OCR to add general IT security controls where applicable.
OIG’s summaries of the two reports, including links to copies of the complete reports, are available at the following links: