Many industry observers took great interest in the Department of Health and Human Services (HHS) Office of Inspector General's (OIG) HIPAA security compliance audit of Piedmont Hospital in Atlanta last year. Â The Piedmont Hospital audit was noteworthy for two reasons. Â First, it was apparently the first HIPAA security compliance audit. Â Second, it was surprising to many that the audit was being conducted by OIG, rather than the CMS Office of E-Health Standards and Services, the HHS office with primary responsibility for HIPAA Security Rule compliance. Â Now it appears that CMS is getting underway with its own security compliance program.
In the February issue of
Report on Patient Privacy, Tony Trenkle, the director of the CMS office, comments on CMS's intention to conduct compliance reviews of covered entities "for the foreseeable future." Trenkle first spoke of the initiative at a HIPAA security compliance workshop hosted by CMS and the National Institute of Standards and Security on January 16 outside Washington, D.C.
Trenkle says that 10-20 compliance reviews will be commenced between now and September, with the assistance of contracted vendors PricewaterhouseCoopers. Â Organizations that will be targeted for review will be entities that have already been investigated for a HIPAA security complaint ("filed against entities" or "FAEs"). Â CMS intends to post a security compliance checklist on its website within the next month to assist covered entities in preparing for the reviews.
It will be particularly interesting to see how CMS chooses to interpret noncompliance with the broad, flexible Security Rule standards. Â To what extent will CMS accept an organization's security risk assessment, and the measures that arose from that assessment, at face value? Â How will CMS view an organization that has implemented reasonable security measures, but hasn't conducted a proper risk assessment to support those decisions?
In short, it appears that the era of HIPAA security compliance enforcement has begun. Â Nearly three years after the Security Rule compliance date, no one can say that they didn't have time to prepare. Â