HcPro reports that the Center for Medicare and Medicaid Services (CMS) has contracted with Pricewaterhouse Coopers to conduct security audits of covered entities, according to Karen Trudel, deputy director of CMS’ Office of E-Health Standards and Services.  Pricewaterhouse’s job will be to audit covered entities against which CMS has received a complaint.  The audits conducted by Pricewaterhouse will be in addition to those that are not complaint-driven, such as the random security audit completed of Atlanta’s Piedmont Hospital in March of 2007.  It is being said that at least two more similar "random" audits are planned for the near future. 

Currently, if a complaint contains information about an incident or problem that could also be a violation of the HIPAA Security Rule, the Office of Civil Rights (OCR) coordinates its investigation with CMS, which is the agency within HHS that is responsible for enforcing the Security Rule.  By contracting with Pricewaterhouse, CMS will likely increase its ability to respond to complaints regarding potential security breaches and to audit potential offenders.  

Providers who continue to question whether keeping their HIPAA Security compliance program updated and alive is "worth it" should note that CMS’s decision to contract with Pricewaterhouse Coopers is just another indication that the federal government is not likely to simply sit back and ignore enforcement.  

Helen‘s HIPAA Hint:  Keep your HIPAA Security compliance program alive.  At a minimum, covered entities should: (1) periodically review their HIPAA security policies and procedures; (2) respond to internal complaints with internal investigations and appropriate actions; and (3) providing refresher training to employees.  Also, keep an eye on CMS’s enforcement website where CMS hopes to put more information regarding security rule enforcement. The ability to demonstrate that your organization has an active and effective HIPAA Security compliance program can help if there ever becomes a need to respond to an audit by CMS or OCR.