HHS Report Identifies Security Lapses for Exchanges

October 2, 2014

Broader definition of personal identifiable information requires medical practices to review HIPAA compliance and adhere to security policies.

On September 23, the Department of Health and Human Services, Office of the Inspector General, released a report showing that some marketplaces were more vulnerable than others in protecting personally identifiable information (PII).

"Personal Identifiable Information (PII) is defined as: Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, e-mail address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media."

Since the definition is broader than that of protected health information, close attention should be given. The report identified items that the CMS, as well as New Mexico and Kentucky could do to improve security of electronic information. The purpose of the report was much like that of a HIPAA Risk Assessment - to assess the security vulnerabilities associated with the creation, receipt, transmission, and maintenance of PHI, except it extended to the broader security of PII.

"This summary report provides an overview of the results of three reviews of security of certain information technology at the federal [CMS], Kentucky, and New Mexico Health Insurance Marketplaces." Specifically, the OIG assessed whether or not the entities had implemented security requirements in accordance with "relevant Federal requirements and guidance." CMS, while meeting certain controls, still had room for improvement on its security controls. Likewise, Kentucky and New Mexico met certain standards. Kentucky had areas of improvement identified in access and security controls, while New Mexico's policies and procedures, among other things, were not up to par.

For physicians and providers, as well as every entity impacted by HIPAA, this underscores the importance of being compliant with HIPAA. If Federal and State government entities are being audited and expected to adhere to the standards, so are physician practices, hospitals, and business associates. Failing to do so can have significant financial and reputational consequences.