The HHS Office of Inspector General (OIG) has issued a report entitled "Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 (HIPAA) Oversight." By way of background, the HIPAA security rule requires health plans, providers, and other covered entities that transmit health information in electronic form to: (1) ensure the integrity and confidentiality of the information, (2) protect against any reasonably anticipated threats or risks to the security or integrity of the information, and (3) protect against unauthorized uses or disclosures of the information. The OIG found that CMS had no effective mechanism to ensure that covered entities adequately implemented the HIPAA security rule or that electronic protected health information was being adequately protected. The OIG recommended that CMS establish policies and procedures for conducting HIPAA security rule compliance reviews of covered entities. While CMS disagreed with the OIG’s findings, the agency agreed to establish policies for conducting compliance reviews.