Two reports from the Department of Health and Human Services' Office of Inspector General take issue with the way HHS agencies are ensuring the security of electronic protected health information and enforcing the HIPAA security rule.

One report covers the Centers for Medicare and Medicaid Services when it enforced the security rule until late June 2009, and the Office for Civil Rights since it assumed enforcement of the security rule. The second report covers the Office of the National Coordinator for Health Information Technology's role in securing data as it has developed a strategy for a national health information network. Both reports are available at

The OCR report

In assessing OCR's work, the Office of Inspector General first looked back at CMS enforcement efforts and found them lacking. At the time of an OIG report issued in October 2008, CMS had not conducted any security rule compliance reviews, or audits, of covered entities. Following the report, CMS conducted 10 reviews but limited them to entities that had security rule complaints filed against them.

OIG conducted its own security rule audits at seven hospitals across the nation and identified 151 vulnerabilities in systems and controls to protect electronic protected health information. OIG judged 124 of the vulnerabilities--82 percent--as "high impact." For instance, four of the hospitals used the discredited Wired Equivalent Privacy encryption on their wireless networks, and two others used a stronger but still weak encryption/authentication method.

In its review of OCR's security rule enforcement, OIG mostly took fault with OCR's failure to implement a general audit program. "Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it has actually done so," according to the report. "The only reviews OCR mentioned were related to our hospital audits. In the absence of evidence of a more expansive review process, we encourage OCR to continue the compliance review process begun by CMS in 2009."

In comments to OIG, the Office for Civil Rights downplayed the results of OIG's hospital audits. "As a general comment, we caution against drawing conclusions about the state of compliance of all covered entities based on the small sample of narrowly focused audits performed in the review of CMS oversight."

OCR also said it "has considered" the recommendations to conduct compliance reviews at organizations without first having a complaint. The agency then mentioned it reviewed the seven hospitals where OIG found significant security flaws and also reviews organizations that have reported a major breach of unsecured protected health information.

OCR in its comment letter to OIG made no mention of initiatives to implement general audits. But at the recent federally sponsored Safeguarding Health Information conference, Susan McAndrew, OCR deputy director for health information privacy, gave a brief update. The office has done a study to look at audit models and now is trying to engage a contractor to pilot one of the models, she said.

The ONC report

In its report on ONC activities, the Office of Inspector General focused on assessing security controls in health information technology standards. "We found that ONC had application controls in the interoperability specifications, but there were no HIT standards that included general I.T. security controls," according to OIG. "At the time of our audit, the interoperability specifications were the ONC HIT standards and included security features necessary for securely passing data between EHR systems (e.g., encrypting transmissions between EHR systems). These controls in the EHR systems were application security controls, not general I.T. security controls."

Examples of general I.T. security controls not addressed in ONC's rules governing standards, implementation specifications and certification criteria include encrypting data on mobile devices, requiring two-factor authentication when remotely accessing a system, and patching the operating systems of computer systems that process and store electronic health records, according to OIG.

"We found the lack of these and other general I.T. security controls during prior Office of Inspector General audits at Medicare contractors, State Medicaid agencies and hospitals. The vulnerabilities that we noted, combined with our findings in this audit, raise concern about the effectiveness of I.T. security for HIT if general I.T. security controls are not addressed."

Recommendations that OIG made to ONC include:

* Broaden the focus from interoperability specifications to include well-developed controls for supporting systems, networks and infrastructures;

* Use its leadership role to provider guidance on established general I.T. security standards and best practices;

* Emphasize to the medical community the importance of general I.T. security; and

* Coordinate work with CMS and OCR to add general I.T. security controls where applicable.

In a response letter to OIG, the Office of the National Coordinator concurred with the recommendations. The office noted it will work with its advisory committees to "actively explore" the feasibility of adding general I.T. security controls to EHR certification criteria, such as encryption of portable media and two-factor authentication.

ONC also noted that its work on security is an evolving process. "In the early stages of adoption efforts under HITECH, ONC has worked to strike the right balance between ensuring the security of health information among new adopters while not creating such an onerous burden of technical requirements that the primary adoption goal would fail to be achieved," the office contended. "By the end of the HITECH-related wave of health I.T. implementations in 2015, ONC expects to have a well developed set of certification criteria that, coupled with practices initiated under the CMS meaningful use rule, will form a strong security framework for the use and exchange of electronic health information."

--Joseph Goedert


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access