The federal agency that enforces health data security regulations did a poor job of protecting the data it was using in its own investigations.
Officials at the Office of Inspector General at the U.S. Department of Health and Human Services announced that conclusion in this latest report.
Thomas Salmon and other HHS OIG staffers were looking at the efforts of the HHS Office for Civil Rights to enforce the Health Insurance Portability and Accountability Act health data Security Rule.
The HIPAA Security Rule exposes any covered entity or associate that uses personal health information — including brokers — to the prospect of having to pay big fines for violations.
The office did develop guidance for implementing the rule, and it set up an investigation process for responding to reports of violations, HHS OIG officials said.
But the office hasn’t come up with a process for auditing covered entities regularly to make sure they’re actually complying with the requirements, officials said.