The Office of the Inspector General (“OIG”) at the U.S. Office of Personnel Management (“OPM”) alleged in a report dated February 12, 2018 that Health Net of California (“Health Net”) obstructed a federal IT audit, thereby violating its contract with the OPM.
In the report, OIG refers to Health Net’s refusal to comply with the planned testing as “unprecedented”. The report further states that Health Net, on February 7, 2018, responded to a formal request from OPM, indicating that it would not provide the requested documentation, nor would it allow the agency to conduct testing. OPM stated that Health Net’s refusal to permit this “standard audit” testing leaves multiple questions about Health Net’s vulnerability and configuration management programs unanswered. In particular, OPM is not able to perform testing related to Health Net’s ability to effectively remove information system access to terminated employees and contractors.
It appears from the OIG report that OPM’s level of security scrutiny of Health Net is due to vendor requirements for participating in government programs (in this case, Federal Employee Health Benefit Programs). Vendor requirements for security controls in these government programs are far more stringent that the HIPAA Security Rule. (Hard to believe!)
It is not uncommon for similar disputes to arise, in the context of HIPAA, when healthcare organizations attempt to evaluate the security practices of their business associate vendors. Since HIPAA was enacted, covered entities have found it challenging to get business associates to cooperate in security testing, risk assessments and program audits, or even just viewing the business associates’ information security and privacy policies. Business associates often offer some type of poor excuse for failing to comply with such requests, including that such assessments would take too much time and be disruptive to normal business operations, or even pose a security threat in and of themselves. It is speculated that BA’s refusal to cooperate in such matters can be due to the potential of the BA’s belief that the CE is dependent upon them and cannot terminate them.
In the private sector, it is not common for CEs to technically test their BAs’ security. Most CEs focus, at a first level of oversight, on improving their own security and assuring they have BA contracts in place. The next step in such oversight activities is for CEs to perform desk audits of their BAs, using a survey tool, as well as reviewing policies and procedures. CEs may also ask for evidence of the BA having passed a “penetration test” from an established third-party testing company. These greater levels of scrutiny have become more common, especially with large CEs such as health plans and pharmacy benefit managers.
Most healthcare providers, however, except perhaps large health systems and for-profit hospital chains, do not reach this level of sophistication in security testing, due primarily to resource constraints. Regrettably, federal requirements for data privacy and security are predominantly “one size fits all”, rather than being scaled to accommodate different sized organizations. This creates significant challenges, particularly in compliance and enforcement matters, for smaller providers.
Health Net claims that it has fully cooperated in this OPM audit, and continues to deny that it failed to satisfy OPM’s documentation requests. In a recent public statement, Health Net claims that it has fully cooperated with the OPM’s IT audit. Furthermore, Health Net claims that the OIG report contains grossly inaccurate statements about the security of Health Net’s IT systems. Finally, in this statement, Health Net claims to have been advised by legal counsel that complying with certain audit requests would risk violation of Health Net’s contractual obligations to protect its PHI.
It is not yet clear what type of action OPM will take. We will post further information as it becomes available.
GWB, LLC is a boutique law firm specializing in health care law. The Firm has significant background and experience in HIPAA data privacy and security matters in the areas of compliance and enforcement.