CMS criticized for lax enforcement of HIPAA security rules
Agency officials disputed the OIG findings but agreed to enhance compliance-assurance activities.
… Patients’ privacy depends on the security of health information, said Deborah C. Peel, MD, founder and chair of the consumer advocacy organization Patient Privacy Rights. “Privacy means you have control of the data, and you can’t have privacy as long as these databases are insecure. Even if you have a totally secure system, if you give out a thousand master keys, the security is meaningless.”
Dr. Peel said such risks generally would not come to light in a largely complaint-driven process. “People can’t complain, because they don’t know what is going on in these complex systems,” she said, adding that most HIPAA security complaints start out as privacy breaches when patients realize their information was disclosed improperly.