Share this article on:
The U.S. Coastguard (USCG) has been audited by the Office of the Inspector General (OIG) to assess privacy and security measures that have been implemented to safeguard Protected Health Information (PHI). The OIG auditors discovered the USCG lacks a number of the necessary controls to protect the privacy of the data it holds.
The USCG operates 42 health clinics and 150 sick bays in coastal areas in the United States and Puerto Rico. Each year over 300,000 clinic visits are recorded, with data recorded in its Composite Health Care System (CHCS).
The CHCS contains Personally Identifiable Information (PII) along with PHI that includes medical test results, immunization data, pharmacological and x-ray data; information covered under the Health Insurance Portability and Accountability Act (HIPAA).
The HIPAA Privacy and Security Rules place a number of requirements on HIPAA-covered entities to ensure that data remains private and confidential, and is only shared with authorized individuals for the provision of treatment and medical care to patients. HIPAA also covers the physical, technical and administrative measures that must be implemented to safeguard PHI.
Privacy Protections Come up Short
According to the OIG report, the USCG lacks a strong organizational approach which has hampered the implementation of measures to protect privacy and ensure data remains secure.
According to the OIG, the “USCG has made progress in developing a culture of privacy. Separately, the USCG Privacy Officer and Health Insurance Portability and Accountability Act Official are working to ensure that they are meeting the requirements of pertinent legislation, regulations, directives, and guidance.”
However, while progress has been made, there is still some way to go. One of the main aims of HIPAA is to introduce a national standard for data privacy security, but according to the report, the USCG has not yet managed to raise privacy standards to the level required by the legislation.
Numerous HIPAA Violations Discovered
The OIG auditors discovered that USCG clinics do not maintain consistent instructions for health records and there are inconsistent policies and procedures covering the maintenance of health records and their disposal when they are no longer required.
Procedures give out conflicting information, for instance, in the USCG Medical Manual, the “health service log” is listed as a permanent health record, yet in the SCG Life Cycle Manual (June 15, 2011/ NARA’s Approved Changes (June 7, 2013) the records must be destroyed after 6 years. Controlled substance prescriptions should be destroyed after 3 years, but also again after 6 years if the policies are to be followed to the letter.
USCG Privacy and HIPAA offices do not formally communicate on privacy oversight and reporting and its clinics have incomplete contingency planning to ensure PHI is safeguarded at all times. The OIG also found that USCG clinics are not mitigating the risks to PHI and have not implemented the appropriate physical controls to protect PHI as required by the HIPAA Security Rule. Physical health records were discovered stored in open areas or in rooms with unlocked doors. Water damage to buildings could also conceivably damage physical records.
Risk assessments are also required under the Security Rule, yet the USCG has not conducted risk assessments for the Merchant Mariner Credentialing Program, while “USCG privacy and HIPAA officials do not formally communicate to improve privacy oversight and incident reporting, thereby limiting USCG’s ability to assess and mitigate the risks of future privacy or HIPAA breaches.”
Recommendations made by the OIG
After assessing the USCG on data privacy and security issues, the OIG auditors have made five recommendations to bring data privacy and security standards up to the required standard. These are:
We recommend that the Vice Commandant of the Coast Guard establish a formal mechanism to ensure communication between the USCG Privacy Officer and the HIPAA Privacy and Security Official for enhanced privacy oversight and reporting.
We recommend that the Vice Commandant of the Coast Guard ensure consistent instructions for managing the health records retention and disposal.
We recommend that the Vice Commandant of the Coast Guard prepare a plan of action and milestones to ensure that USCG has complete contingency planning for safeguarding privacy data in the event of emergency or disaster.
We recommend that the Vice Commandant of the Coast Guard prepare a plan of action and milestones to periodically review physical safeguards to mitigate risks to SPII and PHI at clinics.
We recommend that the Vice Commandant of the Coast Guard prepare a plan of action and milestones to improve internal controls for the merchant mariner credentialing program and processes to ensure protection of privacy data.
The USCG has agreed with the recommendations made by the OIG and will be working on updating policies and procedures to improve data security and privacy standards. Until such time that this occurs, the OIG will consider the matter unresolved. At this stage however, there appears to be no financial penalties issued for the HIPAA violations.