Ineffective oversight has led to "numerous, significant vulnerabilities" in the system that safeguards electronic protected health information (EPHI), according to a government report released last week. In addition, the report found that the agency charged with oversight of HIPAA's Security Rule had not conducted a single compliance review nor levied any civil penalties at the time of publication. The report also warned that poor enforcement has placed confidentiality of EPHI at "high risk."
No wonder nearly two-thirds of Americans distrust the privacy of electronic medical records.
The Inspector General (IG) for the Department of Health and Human Services (HHS) issued the study on implementation of HIPAA's Security Rule. The findings were alarming in what they suggested about the integrity of American medical records. The report also reinforced CDT's repeated calls for stronger enforcement of the HIPAA Privacy and Security Rules.
The Security Rule requires healthcare entities to protect EPHI via a series of administrative, physical, and technical safeguards. Effective February 2006, HHS delegated oversight and enforcement of the Security Rule to the Center for Medicare & Medicaid Services (CMS). CMS has the power to conduct compliance reviews, resolve complaints, and also to impose monetary penalties upon healthcare entities that do not meet Security Rule standards.
Read more »