Filed Under:Life Insurance, Life Products

Inspectors Blast CMS Health Data Oversight

The Centers for Medicare and Medicaid Services (CMS) has done a poor job of enforcing the electronic health data standards included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a watchdog agency says.

The Office of Inspector General at the U.S. Department of Health and Human Services (HHS) looks at compliance with HIPAA personal health information security rules in a review based on audits of 7 U.S. hospitals.

The review identified 151 problems with health data security systems and controls, including 24 high impact problems.

"Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge," officials say in the review. "One of the hospitals we audited reported a breach in which two employees accessed confidential patient information from the hospital's systems and allegedly opened credit card accounts using this information."

HIPAA added a HIPAA Security Rule section to the Social Security Act. The rule requires health plans, health care clearinghouses and health care providers that transmit electronic health data to protect the confidentiality of personal health data, protect against reasonably anticipated risks to data security, and protect against unauthorized use of the information.

A newer law, the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) requires HHS to adopt health information technology standards and implementation specifications that "take into account the requirements of HIPAA privacy and security law," officials say.

CMS has used complaint files to choose the targets of past Security Rule compliance reviews; the Office of Inspector General looked at hospitals that had not necessarily been the targets of complaints.

Investigators found that CMS "oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Health Insurance Portability and Accountability Act of 1996 Security Rule," officials say. "As a result, CMS had limited assurance that controls were in place and operating as intended to protect electronic protected health information (ePHI), thereby leaving ePHI vulnerable to attack and compromise."

Problems discovered included weak passwords, ineffective wireless network encryption, failures to put firewalls between wireless networks and internal wired networks, and uninstalled critical security patches, and outdated antivirus updates. Some hospitals used out-of-date operating systems that were no longer being supported or updated by the manufacturers.

In 2009, HHS gave the federal Office for Civil Rights authority over Security Rule enforcement. The HHS Office of Inspector General is recommending that the Office of Civil Rights start Security Rule compliance reviews on its own, without necessarily waiting for complaints to come in. Officials at the office say they will initiate reviews, but, so far, there is no evidence that it has done so, according to officials in the HHS Office of Inspector General.

Other health data coverage from National Underwriter Life & Health:

Featured Video

Most Recent Videos

Behind the scenes with Vicki Gunvalson [VIDEO]

Provided by LIFEHEALTHPRO

In this exclusive interview, Vicki Gunvalson shares how she built a $15 million a year annuity business by planning for...

Regulator: Market may need to reinvent LTCI

Provided by LIFEHEALTHPRO

Cioppa says Maine's governor wants to spur the creation of better products.

Dementia: It's more than Alzheimer's

Provided by LIFEHEALTHPRO

An association calls for policymakers to remember lesser-known neurodegenerative conditions.

Protesters Disrupt WellPoint Annual Meeting

Provided by LIFEHEALTHPRO

Hecklers call for more disclosures of information about political contributions.

Related resources

More Resources

Comments

Power your business with up-to-the-minute insurance news, analysis, and best practices from LifeHealthPro Daily eNewsletter – FREE.

Power your business with LifeHealthPro Daily eNewsletter – FREE.

Enter a valid email address.
Close
Nichole Morford

Nichole Morford
Managing Editor

Thank you for subscribing to LifeHealthPro Daily!

Check Out More eNewsletters Now! Close

Advertisement. Closing in 15 seconds.