CMS Acting Administrator Kerry Weems

The Centers for Medicare & Medicaid Services has failed to adequately protection patient information under the Health Insurance Portability and Accountability Act (HIPAA), according to the Department of Health and Human Services’ Office of Inspector General.

Under the provisions of HIPAA, CMS was granted the authority to enforce rules of security. A recent OIG inspection, however, found numerous, significant vulnerabilities in the patient information safety system that put patient data at risk. As part of their inspection, OIG officials audited CMS security measures at one hospital. There they found significant vulnerabilities to the system that is meant to guard electronic protected health information.  

It wasn’t all bad news for CMS: The OIG report found tjat the agency had established a good system for receiving and processing complaints about security issues. Still, that alone was not enough to adequately safeguard patient information. Responding to the report, CMS Acting Administrator Kerry Weems said compliance reviews are but one of several tools to promote compliance.