An October 27 report from the Department of Health and Human Services Inspector General states that “limited actions” by CMS have “not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities.”
The main concern of the report is that CMS relies on complaints in order to identify organizations to investigate for failure to comply with HIPAA regulations.
The HHS Inspector General admits that the audit cited in the report was performed in 2007, before CMS signed a contract in January 2008 with PriceWaterhouseCoopers to assist with compliance reviews. However, it still stands behind its recommendation that CMS take a more proactive approach to identifying HIPAA compliance issues.
CMS disagrees with the report. While compliance reviews would be beneficial, CMS believes that the complaint-driven system encourages voluntary compliance. It also stated that the Inspector General's report fails to highlight other steps taken by CMS to improve HIPAA compliance such as industry outreach, education, and complaint investigation and resolution.
Source: Government Health IT
Click here to view the HHS Inspector General's report: