Last week, the Department of Health and Human Services Office of Inspector General ("OIG") issued an audit report criticizing the Centers for Medicare and Medicaid Services ("CMS") for ineffective and incomplete enforcement of the HIPAA Security Rule. The OIG charged that CMS' approach to Security Rule enforcement has left "significant vulnerabilities" with respect to electronic medical records undetected at U.S. hospitals, and recommended that CMS establish policies and procedures for conducting security compliance reviews of HIPAA covered entities. CMS has already begun responding to the OIG's recommendations, which appear to have been communicated to CMS prior to public issuance of the report.

Until now, CMS has taken a reactive, complaint-driven approach to Security Rule enforcement, much like the HHS Office for Civil Rights has done with the HIPAA Privacy Rule. Acting CMS Administrator Kerry Weems defended this process, stating that its efforts have furthered industry education and voluntary compliance, and criticized what he sees as "OIG's singular focus on compliance reviews...." The OIG countered that "the significant vulnerabilities we identified at hospitals throughout the country would not generally have been identified in HIPAA Security Rule complaints." Weems reportedly concurs in part with OIG’s findings; the report itself indicates that CMS agrees "that compliance reviews are a useful enforcement tool as part of a more comprehensive enforcement strategy...."

It is clear from this report that CMS is feeling pressure from OIG to be more vigorous, aggressive and proactive in its enforcement of the HIPAA Security Rule. Because a hospital's security compliance deficiencies and vulnerabilities are often not evident to its patients, the report indicates that the Security Rule has not been a particularly good fit for an exclusively complaint-driven enforcement program. Hospitals should evaluate whether their HIPAA Security Rule compliance programs would withstand the scrutiny of a CMS Security Rule compliance audit.

The OIG report is available at http://www.oig.hhs.gov/oas/reports/region4/40705064.pdf.