On May 16, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued two reports critical of the government’s efforts to build and enforce a federal information security framework for protecting individuals’ electronic protected health information (ePHI). Of particular interest to health care providers and health plans, these reports signal that heightened enforcement efforts appear likely in the future, making information security a top priority when developing and operating interoperable health care information technology (HIT).
The first OIG report, which assessed the Centers for Medicare and Medicaid Services’ (CMS’) and Office of Civil Rights’ (OCR’s) oversight of the Security Standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), found shortcomings in hospital information security implementation, and criticized a perceived lack of effective of oversight of such Security Standards by CMS and OCR. The OIG audit examined information security systems at seven large hospitals located in several states. The report found 151 security vulnerabilities, ranging from insufficient password strength and unencrypted laptops containing ePHI, to lack of physical protections (e.g., locks) for computer storage rooms, inadequate encryption methods, and incomplete policies and procedures to address audit controls, backup plans and disaster contingencies. The majority of findings were rated as “high impact”, which means posing a significant risk of harm to the individuals whose ePHI was transmitted or stored in such facilities. The report concluded that the OCR needs to significantly improve oversight and enforcement of data security under HIPAA, including continuation of the compliance oversight reviews of covered entities begun in 2009 at the direction of CMS. The OIG report also referred to exercise of the specific HIPAA enforcement measures and larger penalties enacted under the 2009 American Recovery and Reinvestment Act’s Health Information Technology for Economic and Clinical Health Act (HITECH) provisions.
The second OIG report criticized the Office of the National Coordinator for Health Information Technology (ONC), the agency created under ARRA/HITECH to administer and oversee federal incentives for the adoption and meaningful use of interoperable electronic health records (EHRs), and other related national HIT initiatives. That report found that the ONC failed to incorporate general information security requirements in the measures required for certified EHRs under HITECH. While certain application security controls were included in the HIT standards, the OIG found that general security requirements for the overall security structure, policies and procedures to be specifically applied to EHR systems, were lacking.
In light of these OIG reports, and of ongoing news of misappropriation of patients’ health information and wide-scale security breaches, health care providers and health plans should consider reassessing their security risk exposure and preparedness to address information security lapses and HIPAA enforcement likely to be at the forefront of the national HIT trend.