The Centers for Medicare and Medicaid Services (CMS) has done a poor job of enforcing the electronic health data standards included in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a watchdog agency says.
The Office of Inspector General at the U.S. Department of Health and Human Services (HHS) looks at compliance with HIPAA personal health information security rules in a review based on audits of 7 U.S. hospitals.
The review identified 151 problems with health data security systems and controls, including 24 high impact problems.
“Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge,” officials say in the review. “One of the hospitals we audited reported a breach in which two employees accessed confidential patient information from the hospital’s systems and allegedly opened credit card accounts using this information.”
HIPAA added a HIPAA Security Rule section to the Social Security Act. The rule requires health plans, health care clearinghouses and health care providers that transmit electronic health data to protect the confidentiality of personal health data, protect against reasonably anticipated risks to data security, and protect against unauthorized use of the information.
A newer law, the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) requires HHS to adopt health information technology standards and implementation specifications that “take into account the requirements of HIPAA privacy and security law,” officials say.