According to a recent report from Government Health IT, CMS’ intentions were made known at a January 2008 HIPAA workshop, in which Tony Trenkle, director of CMS’ Office of E-Health Standards and Services (OESS), presented a keynote address on Security Rule compliance and OESS enforcement activities.
Government Health IT reports that the audits will involve not only CMS, but also PricewaterhouseCoopers — a national accounting and consulting firm that was recently contracted by the agency to assist with the compliance review efforts. CMS officials expect to initially target a group of 10 to 20 large hospitals — most, if not all, of those being entities against which a Security Rule complaint has been filed.
Increased Security Rule Compliance Activity
News of CMS’ audit plans — while noteworthy — is not all that surprising given the federal government’s increased interest in Security Rule compliance over the last year.
In both its 2007 and 2008 Work Plans, the Department of Health and Human Services Office of Inspector General (OIG) discusses its intent to review CMS’ experience with implementing the HIPAA Security Rule. Indeed, a priority for FY 2008 is to examine not only CMS’ oversight, implementation and enforcement of the regulations, but also whether the agency “has implemented controls to reasonably ensure that the HIPAA Security Rule achieves its intended results.”
It has also been widely reported that at least one hospital has already been audited for Security Rule compliance. In 2007, the OIG apparently spent several weeks examining the HIPAA compliance practices and procedures of Piedmont Hospital in Atlanta, Georgia. Although neither the hospital nor OIG officials have been willing to publicly comment on the audit’s scope, a June 2007 report by Computerworld — an information technology (IT) management publication — disclosed that the facility was asked to produce a list of 42 items as part of the audit. Among the requested materials were hospital policies and procedures addressing issues such as Internet usage, password and server configurations, remote access activity, electronic transmission of electronic protected health information (EPHI), firewalls, antivirus software and security access controls. The OIG also reportedly made specific informational requests, asking that the hospital provide lists of certain items such as terminated employees, new hires, encryption mechanisms, users with remote access capabilities, authentication methods, antivirus software and database security controls.
Conducting a Self-Audit
In light of the fact that both the OIG and CMS are stepping up Security Rule reviews, now may be the perfect time for hospitals and other HIPAA-covered entities to conduct self-audits of their Security Rule compliance programs. At a basic level, this will require an organization to assess whether it is meeting the general requirements of the regulations, including:
- Ensuring the confidentiality, integrity and availability of EPHI that the organization creates, receives, maintains and transmits;
- Protecting against any reasonably anticipated threats or hazards to the security and integrity of EPHI;
- Protecting against any reasonably anticipated uses or disclosures of PHI that are not permitted or required by the HIPAA Privacy Rule and
- Ensuring HIPAA compliance by its workforce.
Such assessment can be accomplished through any number of procedures or tools — depending on the organization’s size, capabilities and technical infrastructure. However, at a minimum, the self-audit should include a review of:
- Administrative, physical and technical safeguard standards set forth in the Security Rule;
- CMS Security Rule guidance and educational materials (available at www.cms.hhs.gov/SecurityStandard/);
- Organization procedures and safeguards to manage, protect and control access to EPHI in accordance with the Security Rule standards;
- Records of information system activity, such as audit logs and access reports;
- Reports and investigations of security incidents (e.g., loss of data, employee violations and patient complaints);
- Existing Security Rule compliance policies, procedures and forms; and
- Operational and/or organizational changes that can or may affect the management, security and safeguarding of EPHI.
Results of the self-audit should be appropriately documented and the organization should develop new Security Rule compliance policies, procedures and/or forms (as needed) to close any compliance gaps identified through the self-audit process.
In a nutshell: Be prepared in case the OIG and/or CMS come knocking at the door. Forewarned is forearmed.
March 2008