HHS and ONC Hit By Inspector General Audit Relative to Digital Security and Privacy–Stuff That Could Happen Anywhere Today
Posted May 17 2011 1:35am
I’m not sure I understand all the implications here but the original letter was received by Dr. Blumenthal before he left and returned to Harvard. The main items here were lack of audits of hospitals to provide security which included several areas here and the ONC for lack of leadership in promoting electronic record security. I’m not quite sure exactly what the ONC’s part was supposed to be in that role and if it entailed having to promote security vendors or what? I don’t quite understand that portion of this audit as with any records system in a hospital with an IT department, that’s a given project, anywhere.
Years ago before all this began I could tell some horror stories about hospital security in the early days of medical records, but again most of the IT departments today work very hard at it. The office of Civil Rights didn’t quite do their job right either with privacy audits. You know I am curious as to how these audits were conducted and by who, were they in house or outsourced? I occasionally remark about the ONC folks not all being coders or at least having some with a coding background and it’s hard to sometimes get things in the right order without being able to get a visual picture in your head.
I was kind of hesitant anyway when Ms. Sebelius was given the office back in 2009 as I knew in a short amount of time that a lot of that job was going to be Health IT related as that’s the world of the coders see things and project when you look at and work with data. I real good example of one who predicts well who’s Mr. Code himself of course is Bill Gates and he’s ahead of the game.
A common problem mentioned was that hospitals were slow to update computer software, well how about the FDA a few years ago, this one from 2009 will about make you choke and I wonder if that rule is still on their books:)
“The mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452 (as amended), is to protect the integrity of Department of Health and Human Services (HHS) programs, as well as the health and welfare of the beneficiaries of those programs. The OIG has a responsibility to report both to the Secretary and to the Congress program and management problems and recommendations to correct them. The OIG's duties are carried out through a nationwide network of audits, investigations, inspections and other mission-related functions performed by OIG components.”
My next question, what in the world is Congress going to do with this…for the most part they barely have enough technology and digital literacy of their own…the interpretation is still key. The image above represents the VB 6 program called RAT-STATS for auditing from the Inspector General and you can download and use it too for private use, it’s free.
Also worth mentioning is the $2.5 billion dollar budget cut that begins and includes cut as CDC, so what can they afford? My comments remain the same here with a digital literate Congress and this audit could be anything you would expect anywhere. The only big fault I have with the department is a “huge lack of role models” and that’s easy enough to cure, if they want to.
It really is hard too when you have Senator’s creating bills that also increase the budget of HHS and put deadlines in there for IT infrastructures that are impossible to meet, like this below with the doctor’s Medicare billing, the biggest waste of time and most ridiculous law suit filed by the Dow Jones on this matter too against HHS. With privacy and security bursting out at the seems all over the place today an audit anywhere would have found items along this line as it’s just the world we live in today.
Still want role models though at HHS that get and talk about their PHRs:)
Two new audit reports question HHS' commitment to digital security in health information technology.
The reports, issued today by HHS' inspector general's office, target both the Office of the National Coordinator for Health Information Technology and the Office for Civil Rights for failing to adequately protect patients' electronic information.
In a 36-page “rollup” report citing audits at seven unnamed hospitals, the inspector general's office assails the Office for Civil Rights for a lack of rigor in enforcing the security provisions of the Health Insurance Portability and Accountability Act of 1996. The report also calls out the CMS, which previously oversaw digital security.
In a separate 23-page report, auditors criticize the ONC for lack of leadership in promoting electronic health information security.
In July 2009, the Office for Civil Rights took over as overseer of the HIPAA security rule from the CMS. At the time, the CMS said it had investigated 428 security complaints but hadn't levied a single monetary penalty against a violator since the HIPAA security rule became effective for providers in April 2005.
The inspector general's report noted that although both the CMS and the Office for Civil Rights had the authority to launch security audits, neither had done so.
To test hospitals' levels of HIPAA compliance, the inspector general's office initiated a series of its own security audits between August 2009 and March 2010 at hospitals in California, Georgia, Illinois, Massachusetts, Missouri, New York and Texas.
In a March 23 letter in response to the audit, then-ONC head Dr. David Blumenthal explained that the ONC's meaningful-use criteria required providers to perform risk assessments in accordance with HIPAA security requirements. (HIPAA does not specifically require providers to encrypt data, only to ensure that it is securely kept.)