On March 5, 2014, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued an audit report summarizing its review of electronic information system controls at 10 State Medicaid agencies.  The OIG reports that it found “serious vulnerabilities” in the 10 States’ Medicaid Management Information Systems (MMIS).  The OIG conducted the audit to determine States’ compliance with federal regulations that require States to implement appropriate security measures in claims processing (MMIS) and eligibility systems.

The OIG identified 79 findings of vulnerabilities among the 10 States.  In many States, the vulnerabilities identified were similar, suggesting to the OIG that the problems were “systemic and pervasive.”

The OIG report focused its findings in three main areas:

  • Entity-wide controls that establish the framework for assessing risk, implementing effective procedures, and monitoring these procedures.
  • Access controls that prevent or detect unauthorized access to information.
  • Network operations controls that monitor systems to ensure a network is secure from attacks.

Although the OIG did not look specifically at HIPAA compliance, the findings also have implications for  potential findings under the federal health privacy law.  State Medicaid agencies are covered entities under HIPAA, and therefore must comply with HIPAA’s Security Rule.   The requirements of HIPAA’s Security Rule, in many ways, mirror those described in the OIG audit.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Covington Digital Health Team

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with…

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with lawyers who understand how the regulatory, IP, and commercial pieces of the digital health puzzle fit together is essential. Covington offers unsurpassed breadth and depth of expertise and experience concerning the legal, regulatory, and policy issues that affect digital health products and services. To learn more, click here.