On March 5, 2014, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued an audit report summarizing its review of electronic information system controls at 10 State Medicaid agencies. The OIG reports that it found “serious vulnerabilities” in the 10 States’ Medicaid Management Information Systems (MMIS). The OIG conducted the audit to determine States’ compliance with federal regulations that require States to implement appropriate security measures in claims processing (MMIS) and eligibility systems.
The OIG identified 79 findings of vulnerabilities among the 10 States. In many States, the vulnerabilities identified were similar, suggesting to the OIG that the problems were “systemic and pervasive.”
The OIG report focused its findings in three main areas:
- Entity-wide controls that establish the framework for assessing risk, implementing effective procedures, and monitoring these procedures.
- Access controls that prevent or detect unauthorized access to information.
- Network operations controls that monitor systems to ensure a network is secure from attacks.
Although the OIG did not look specifically at HIPAA compliance, the findings also have implications for potential findings under the federal health privacy law. State Medicaid agencies are covered entities under HIPAA, and therefore must comply with HIPAA’s Security Rule. The requirements of HIPAA’s Security Rule, in many ways, mirror those described in the OIG audit.