Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight
We found that the Centers for Medicare and Medicaid Services (CMS) had taken limited actions to ensure that covered entities adequately implemented the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. These actions had not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities. The HIPAA Security Rule requires a covered entity, such as a health plan or health care provider that transmits any health information in electronic form, to (1) ensure the integrity and confidentiality of the information, (2) protect against any reasonably anticipated threats or risks to the security or integrity of the information, and (3) protect against unauthorized uses or disclosures of the information.
CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that electronic protected health information was being adequately protected. We noted that CMS had an effective process for receiving, categorizing, tracking, and resolving complaints.
We recommended that CMS establish policies and procedures for conducting HIPAA Security Rule compliance reviews of covered entities. CMS did not agree with our findings because it believed that its complaint-driven enforcement process has furthered the goal of voluntary compliance. However, CMS agreed with our recommendation to establish specific policies and procedures for conducting compliance reviews of covered entities. We maintain that adding these reviews to its oversight process will enhance CMS's ability to determine whether the HIPAA Security Rule is being properly implemented.
Filed under: Center for Medicare and Medicaid Services