The Centers for Medicare and Medicaid Services has not provided effective oversight and has taken only 'limited actions' to ensure that covered entities adequately implement patient privacy regulations contained in the Health Insurance Portability and Accountability Act of 1996, according to a report from the Health and Human Services Department's Office of Inspector General. The OIG found that the CMS had not conducted any compliance reviews of covered entities, and instead relied on complaints to target investigations. However, the CMS has received very few complaints about violations, the report said. 'As a result, the CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA security rule' or that electronic health information was being adequately protected, the report concluded. CMS has taken steps to begin conducting compliance reviews in an effort to identify security problems and vulnerabilities under HIPAA, the OIG said.