Audit Finds Security Issues With Database Already Opposed by Plans Citing HIPAA

By HCCA Staff

The Office of Personnel Management (OPM) has been trying since 2010 to establish a health claims data warehouse (HCDW) to “better understand and control the drivers of health care costs” in the Federal Employees Health Benefits Program (FEHBP).

Referred to as the “largest employer-sponsored health insurance program in the country,” some of the nation’s biggest health plans, including Kaiser Permanente, Aetna, Humana, and Blue Cross plans, participate in the FEHBP. Collectively they enroll more than 8 million federal workers, retirees and their family members. But more than a year ago, they ceased sending information to the HCDW, citing security concerns and arguing that to forward OPM identifiable data as requested would be a HIPAA violation.

Now, a new audit by the Office of Inspector General (OIG) within OPM concludes the information technology “security controls” for the HCDW are “not in complete compliance with all standards.” Among the issues: the HCDW has not had penetration testing and “has not been subject to routine continuous monitoring testing.” Nor has OPM updated its contingency plan since it was written in 2015 when “the system was in development,” OIG said in the audit.

The requirements that the HCDW must meet, including those developed by the National Institute of Standards and Technology (NIST), are mandatory for government agencies. But security experts recommend that HIPAA covered entities and business associates follow the NIST standards, making a review of the OIG findings instructive for them.

OIG made a dozen recommendations to shore up the HCDW; OPM effectively agreed to all of them. Despite the findings, OPM appears committed to moving ahead with the HCDW. Whether it can convince the plans to go along remains unknown. Confidence in OPM’s ability to safeguard especially sensitive data has not been running high since the agency announced in 2015 that it had suffered a massive data breach, exposing information for some 20 million people.

According to OIG, standards applicable to the HCDW are those in the NIST Special Publication 800-53, in the Federal Information Security Modernization Act (FISMA), and in the Federal Information System Controls Audit Manual, as well as those set by OPM’s Office of the Chief Information Officer.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings