CMS Begins HIPAA Security ‘Compliance Reviews’ in Regular New Effort Unrelated to Prior OIG Audits

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

Officials from the CMS Office of E-Health Standards and Services intend to visit covered entities (CEs) "for the foreseeable" future to ensure they are complying with the security rule, the director of the office, Tony Trenkle, tells RPP.

Trenkle says the visits, of which there will be 10 to 20 between now and September, are being considered "compliance reviews" rather than audits. However, entities found to have committed violations could be subject to fines, corrective action plans and other enforcement actions.

The reviews, which began last month with the assistance of contractors from PricewaterhouseCoopers, are separate and unrelated to audits being conducted by the HHS Office of Inspector General (OIG), he says. OIG conducted a surprise security rule audit of Piedmont Hospital in Atlanta last year, and since that time many hospitals have been bracing themselves for the potential that they could be next.

The truth is they could be — but with the news of CMS's reviews, they now have two enforcement agencies to worry about.

The CMS reviews are an entirely new initiative and will target all security-rule CEs, which typically must also comply with the privacy rule. The focus is broader than just hospitals, although they are included, Trenkle says. "In the future we may work with [OIG], but these are two separate processes," he says.

Trenkle first spoke of the initiative at a HIPAA security compliance workshop co-sponsored by CMS and the National Institute of Standards and Security held outside Washington, D.C., on Jan. 16. But he tells RPP that his comments were misconstrued by those who thought he was referring to hospitals only and to Piedmont-type audits. It was also reported that large hospitals are a focus, but Trenkle denies saying so.

The exact number of entities to be reviewed by the end of September "will depend on a number of factors," he says, including funding. The PricewaterhouseCoopers contract runs to the end of the 2007-2008 fiscal year, and may or may not be renewed. Regardless, the reviews will not end in September, he says, and CEs should expect them to be ongoing.

"We intend to do them for the foreseeable future," Trenkle says. "My commitment is to look at what comes in from these reviews, look at how the industry is responding and go from there."

The reviews are "a key component of the enforcement of the security rule," he says. "We think it is important to get out there and see what is being done and not being done."

The targeted entities for the CMS reviews are those for which CMS has already investigated a security complaint, says Trenkle. "These are not audits. They are not random," he says.

CMS calls these organizations "filed against entities," or FAEs, says Lorraine Tunis Doo, the senior policy advisor in Trenkle's office, who also spoke with RPP.

As of December 2007, CMS had received a total of 283 security complaints and had closed 191. The majority of security complaints are allegations of "inappropriate access and risk of inappropriate disclosure," Trenkle says.

The reviews will re-examine efforts entities took to address the initial complaint that brought them to CMS's attention, as well as take a global look at all of the entities' security practices to identify possible compliance failures.

Some entities have been asked to have a corrective action in place as a result of violations, Doo says. The reviewers will determine if the plan was implemented correctly.

In addition, they will focus on a checklist of general security rule requirements. CMS intends to post the checklist on its Web site within the next month, Trenkle says, to give entities a heads up. It also is meant to help educate the health care community about where to focus their security compliance efforts.

In addition, CMS's reviews will center on remote-access security measures that entities have in place. CMS has previously indicated its concern over remote access and issued guidance on the topic in 2006.

The CMS officials would not provide many details on how the reviews will be conducted, such as how many days reviewers might be on site. Once they arrive, "we will interview the people who are appropriate to the documentation and policy and procedures that we need to evaluate," Doo says. "Whoever is relevant will need to be there. It could be different at every review."

Some Findings Will Be Released

If reviews turn up violations, action plans will be required, Trenkle says. CMS also has the authority to impose fines for serious acts of noncompliance. Results of the reviews will also be shared with the health care community, but unlike audits conducted by OIG, findings will not be linked by name to an entity.

It is still undetermined just how and when findings will become known, such whether separate reports will be posted by entity or in summary fashion from a number of reviews. But Trenkle did offer an assurance that CMS will not reveal the identities of the reviewed entities.

"We want to learn with the industry, without embarrassing the entities," Trenkle says. "There are lessons to be learned. We will be looking at best practices and those that need improvement."

He emphasizes that he views the reviews as a "conversation," and pledged that CMS will be receptive to feedback. "This is an iterative process, and we are learning as we go along, and we will make further determinations as to how we conduct these compliance reviews," he says. "It is a learning process. It is a beginning."


Have questions? I’m here to help.