HIPAA Security Rule Audits on the Horizon

Mar 06, 2008 at 10:27 am by steve


Compliance officers take note: the Centers for Medicare & Medicaid Services (CMS) may soon begin conducting HIPAA Security Rule compliance audits of hospitals.

According to a recent report from Government Health IT, CMS’ intentions were made known at a January 2008 HIPAA workshop, in which Tony Trenkle, director of CMS’ Office of E-Health Standards and Services (OESS), presented a keynote address on Security Rule compliance and OESS enforcement activities.

Government Health IT reports that the audits will involve not only CMS, but also PricewaterhouseCoopers — a national accounting and consulting firm that was recently contracted by the agency to assist with the compliance review efforts. CMS officials expect to initially target a group of 10 to 20 large hospitals — most, if not all, of those being entities against which a Security Rule complaint has been filed.

Increased Security Rule Compliance Activity

News of CMS’ audit plans — while noteworthy — is not all that surprising given the federal government’s increased interest in Security Rule compliance over the last year.

In both its 2007 and 2008 Work Plans, the Department of Health and Human Services Office of Inspector General (OIG) discusses its intent to review CMS’ experience with implementing the HIPAA Security Rule. Indeed, a priority for FY 2008 is to examine not only CMS’ oversight, implementation and enforcement of the regulations, but also whether the agency “has implemented controls to reasonably ensure that the HIPAA Security Rule achieves its intended results.”

It has also been widely reported that at least one hospital has already been audited for Security Rule compliance. In 2007, the OIG apparently spent several weeks examining the HIPAA compliance practices and procedures of Piedmont Hospital in Atlanta, Georgia. Although neither the hospital nor OIG officials have been willing to publicly comment on the audit’s scope, a June 2007 report by Computerworld — an information technology (IT) management publication — disclosed that the facility was asked to produce a list of 42 items as part of the audit. Among the requested materials were hospital policies and procedures addressing issues such as Internet usage, password and server configurations, remote access activity, electronic transmission of electronic protected health information (EPHI), firewalls, antivirus software and security access controls. The OIG also reportedly made specific informational requests, asking that the hospital provide lists of certain items such as terminated employees, new hires, encryption mechanisms, users with remote access capabilities, authentication methods, antivirus software and database security controls.

Conducting a Self-Audit
In light of the fact that both the OIG and CMS are stepping up Security Rule reviews, now may be the perfect time for hospitals and other HIPAA-covered entities to conduct self-audits of their Security Rule compliance programs. At a basic level, this will require an organization to assess whether it is meeting the general requirements of the regulations, including:
Such assessment can be accomplished through any number of procedures or tools — depending on the organization’s size, capabilities and technical infrastructure. However, at a minimum, the self-audit should include a review of:
Results of the self-audit should be appropriately documented and the organization should develop new Security Rule compliance policies, procedures and/or forms (as needed) to close any compliance gaps identified through the self-audit process.

In a nutshell: Be prepared in case the OIG and/or CMS come knocking at the door. Forewarned is forearmed.



March 2008
Sections: Birmingham Archives