The Centers for Medicare and Medicaid Services (CMS) has done a poor job of enforcing the electronic health data standards included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a watchdog agency says.
The Office of Inspector General at the U.S. Department of Health and Human Services (HHS) looks at compliance with HIPAA personal health information security rules in a review based on audits of 7 U.S. hospitals.
The review identified 151 problems with health data security systems and controls, including 24 high impact problems.
"Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge," officials say in the review. "One of the hospitals we audited reported a breach in which two employees accessed confidential patient information from the hospital's systems and allegedly opened credit card accounts using this information."
HIPAA added a HIPAA Security Rule section to the Social Security Act. The rule requires health plans, health care clearinghouses and health care providers that transmit electronic health data to protect the confidentiality of personal health data, protect against reasonably anticipated risks to data security, and protect against unauthorized use of the information.
A newer law, the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) requires HHS to adopt health information technology standards and implementation specifications that "take into account the requirements of HIPAA privacy and security law," officials say.
CMS has used complaint files to choose the targets of past Security Rule compliance reviews; the Office of Inspector General looked at hospitals that had not necessarily been the targets of complaints.
Investigators found that CMS "oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Health Insurance Portability and Accountability Act of 1996 Security Rule," officials say. "As a result, CMS had limited assurance that controls were in place and operating as intended to protect electronic protected health information (ePHI), thereby leaving ePHI vulnerable to attack and compromise."
Problems discovered included weak passwords, ineffective wireless network encryption, failures to put firewalls between wireless networks and internal wired networks, and uninstalled critical security patches, and outdated antivirus updates. Some hospitals used out-of-date operating systems that were no longer being supported or updated by the manufacturers.
In 2009, HHS gave the federal Office for Civil Rights authority over Security Rule enforcement. The HHS Office of Inspector General is recommending that the Office of Civil Rights start Security Rule compliance reviews on its own, without necessarily waiting for complaints to come in. Officials at the office say they will initiate reviews, but, so far, there is no evidence that it has done so, according to officials in the HHS Office of Inspector General.