Skip Navigation
United States Flag

An official website of the United States government. Here's how you know >

Change Font Size

Audit (A-04-07-05064)

Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight

Executive Summary

We found that the Centers for Medicare and Medicaid Services (CMS) had taken limited actions to ensure that covered entities adequately implemented the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. These actions had not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities. The HIPAA Security Rule requires a covered entity, such as a health plan or health care provider that transmits any health information in electronic form, to (1) ensure the integrity and confidentiality of the information, (2) protect against any reasonably anticipated threats or risks to the security or integrity of the information, and (3) protect against unauthorized uses or disclosures of the information.

CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA Security Rule or that electronic protected health information was being adequately protected. We noted that CMS had an effective process for receiving, categorizing, tracking, and resolving complaints.

We recommended that CMS establish policies and procedures for conducting HIPAA Security Rule compliance reviews of covered entities. CMS did not agree with our findings because it believed that its complaint-driven enforcement process has furthered the goal of voluntary compliance. However, CMS agreed with our recommendation to establish specific policies and procedures for conducting compliance reviews of covered entities. We maintain that adding these reviews to its oversight process will enhance CMS's ability to determine whether the HIPAA Security Rule is being properly implemented.

Complete Report

Download the complete report (PDF)

Adobe® Acrobat® is required to read PDF files.

Copies can also be obtained by contacting the Office of Public Affairs at 202-619-1343.

I'm Looking For

Let's start by choosing a topic

Exclusions Database Report Fraud

Office of Inspector General, U.S. Department of Health and Human Services | 330 Independence Avenue, SW, Washington, DC 20201