CMS Receives Failing Marks for HIPAA Enforcement

  • May 18 2011

The Office of the Inspector General (OIG) for the U.S. Department of Health and Human Services (HHS) released a report on the oversight and enforcement actions conducted by the Center for Medicare and Medicaid Services (CMS) pertaining to hospitals’ implementation of the HIPAA Security Rule.  The OIG conducted its audits at CMS in Baltimore, Maryland, and seven hospitals in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas. The OIG concluded that CMS oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Security Rule to safeguard electronic protected health information (ePHI).

Specifically, in 7 hospitals throughout the Nation, the OIG identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized to be high impact, 24 to be medium impact, and 3 to be low impact.  The OIG has concluded that these high impact vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk.  The OIG identified a host of vulnerabilities representing failures in all three categories (technical, physical and administrative) of the Security Rule.

The OIG’s primary criticism focused on CMS limiting its reviews to only entities that had had complaints filed against them, were identified in the media as potentially violating the Security Rule, or were recommended by OCR.  In following, the OIG recommended resolving these vulnerabilities by subjecting covered entities that had not otherwise been identified or recommended to increased CMS audit and review.

This report highlights the need for providers to comply with the administrative, physical, and technical safeguards mandated by the HIPAA Privacy and Security rules; obtain the resources available to develop and implement these mandates; and recognize the potential penalties for failure to effectuate these mandates in a timely manner.

This post was contributed by Charles Dunham.

Tagged with: , , ,

Posted in: HIPAA


  1. […] Posts: CMS Receives Failing Marks for HIPAA Enforcement $4.3M Civil Monetary Penalty for HIPAA Privacy Violation Recommend on Facebook Share on Linkedin […]

    Pingback by HHS Releases HIPAA Privacy Rule Accounting of Disclosures | The Health Law Sidebar on June 9, 2011 at 10:45 am



54 State Street
Albany, NY 12207

tel: 518.462.5601
fax: 518.462.2670

Saratoga Springs

1 Court Street
Saratoga Springs, NY 12866

tel: 518.584.5205
fax: 518.584.5441