Ineffective oversight has led to “numerous, significant vulnerabilities” in the system that safeguards electronic protected health information (EPHI), according to a government report released last week. In addition, the report found that the agency charged with oversight of HIPAA’s Security Rule had not conducted a single compliance review nor levied any civil penalties at the time of publication. The report also warned that poor enforcement has placed confidentiality of EPHI at “high risk.”
No wonder nearly two-thirds of Americans distrust the privacy of electronic medical records. The Inspector General (IG) for the Department of Health and Human Services (HHS) issued the study on implementation of HIPAA’s Security Rule. The findings were alarming in what they suggested about the integrity of American medical records. The report also reinforced CDT’s repeated calls for stronger enforcement of the HIPAA Privacy and Security Rules.
The Security Rule requires healthcare entities to protect EPHI via a series of administrative, physical, and technical safeguards. Effective February 2006, HHS delegated oversight and enforcement of the Security Rule to the Center for Medicare & Medicaid Services (CMS). CMS has the power to conduct compliance reviews, resolve complaints, and also to impose monetary penalties upon healthcare entities that do not meet Security Rule standards. CMS has done very little with this authority, according to the report. CMS instead relied largely on patient complaints for oversight, lamely arguing that this furthered the goal of voluntary compliance among healthcare entities. The report countered that complaints alone were ineffective for identifying noncompliance, as well as for remedying the systemic vulnerabilities that place EPHI at risk.
HIPAA enforcement must be taken seriously if the public is ever going to put its faith in electronic medical record systems. Relying exclusively on complaints places the onus on patients to protect their privacy and confines the agency’s oversight to a reactive posture in which it only acts after a problem has already occurred. That’s not oversight, that’s damage control. The IG report is another warning signal for the inadequate protection afforded patients’ information. This issue is especially crucial right now, as the health information technology is becoming more commonplace, Congress is poised to legislate on the subject, and related privacy risks like medical ID theft are growing as well. If health information technology is really going to get off the ground, as both presidential candidates evidently desire, then it’s time to put some real teeth into HIPAA enforcement. Privacy without compliance is feeble, and Americans know it. A right without a remedy is no right at all.