In recent audit, the U.S. Office of Inspector General found that the Office of the National Coordinator for Health IT and, by extension, the Department of Health and Human Services, lacks the standards to protect patient information adequately.
The finding is a bit ironic, as the HHS is responsible for issuing sanctions to healthcare providers that fail to enact effective data protection practices.
According to the OIG's report, the ONC HIT has established IT security controls to address specific situations, such as the implementation of electronic health records. However, the OIG asserted that the ONC HIT is not taking the big picture into account and lacks standards that include more general IT security controls.
In its report, the OIG suggested that if these shortcomings are not addressed, the general HIT security controls may be adversely affected.
"We found a lack of general IT security controls during prior audits at Medicare contractors, State Medicaid agencies and hospitals," the report stated. "Those vulnerabilities, combined with our findings in this audit, raise concern about the effectiveness of IT security for HIT if general IT security controls are not addressed."
The OIG recommended the ONC broaden its security focus to include more general controls that support systems, networks and infrastructure. Additionally, the report stated that the ONC should use its leadership to establish security best practices within the healthcare industry and emphasize the importance of general IT security.
In recent years, the HHS has become more strict in enforcing healthcare and data protection regulations. For example, earlier this year, the department fined Cignet Health a total of $4.3 million for violating privacy laws established by the Health Insurance Portability and Accountability Act. However, if the department hopes to establish greater data security practices throughout the industry, one might assume that it needs to get its one rule in order first.
