The OIG has released two reports on health information technology (HIT) security issues. The first report is entitled “Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight.” The review, involving seven hospital audits, the OIG concluded that CMS’s oversight and enforcement actions were not sufficient to ensure that covered entities effectively implemented the HIPAA Security Rule. Since CMS had limited assurance that controls were protecting electronic protected health information (ePHI), the confidentiality, integrity, and availability of ePHI were at risk. The OIG recommended that the HHS Office for Civil Rights (OCR) continue to conduct compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities. A second OIG review, “Audit of Information Technology Security Included in Health Information Technology Standards,” concluded that the HHS ONC has not adopted HIT standards that included general information security controls (that is, structure, policies, and procedures that apply to an entity's overall computer operations, ensure the proper operation of information systems, and create a secure environment for application systems and controls). The OIG recommended that ONC (1) address general IT security controls for supporting systems, networks, and infrastructures; (2) provide guidance to the health industry on established general IT security standards and best practices; (3) emphasize to the medical community the importance of general IT security; and (4) coordinate within HHS to add general IT security controls where applicable.