GovernmentHealthIT reports that on January 16, 2008 at a workshop on HIPAA security, CMS announced that it will begin its audits by reviewing 10 to 20 hospitals in the next nine months for
compliance with the HIPAA Security Rule.  As posted earlier on this Blog, CMS has contracted with PriceWaterhouseCoopers (PWC), an accounting and consulting firm, to help with the reviews.

Who Will Be Audited?   Tony Trenkle, Director of CMS’ Office of e-Health Standards and Services, stated at the January 16th workshop that the first reviews will be at hospitals where CMS has received complaints about security practices.  Then, CMS will move onto auditing "larger" hospitals nationwide.

What Will CMS Look For?   CMS representatives state that before a visit, the CMS-PWC team will request documents required under the HIPAA Security Rule, such as the hospital’s security risk assessment and its remote access policies.  Director Trenkle indicated that remote access to data and use of portable storage devices are among the issues that CMS will focus on.  Lorraine Doo, senior policy adviser at the Office of E-health Standards and Services, elaborated that CMS-PWC will interview the compliance officer, security director, lead systems security manager and access controls manager at each hospital.

Consequences:   Hospitals will be invited to comment on the CMS-PWC team’s findings before the results are final.  After the reviews, CMS will publish the results of the security review, but not the organizations’ names, on its website.  However, if the review uncovers major lapses, Ms. Doo indicates that CMS could fine a hospital or levy other punishments allowed for under the HIPAA statute.


Helen’s HIPAA Hint: The comment made by CMS’ Senior Policy Advisor, Ms. Doo, will likely make covered entities ask who is a “Lead Systems Security Manager” and who is an “Access Controls Manager”? and did the Security Rule require us to appoint such individuals?   The technical answer is “no,” the Security Rule only expressly requires a covered entity to appoint a Security Officer. However, the practical answer is that in order for the covered entity to insure that the required technical, physical and administrative safeguards are effectively implemented, monitored and revised as needed, the “buck must stop” (as they say) ultimately with someone. 

In smaller organizations, the Security Officer may have to take on all of these roles.  However, larger entities may find it necessary to create a “team” of individuals who will work in tandem with the Security Officer in make sure that the entity is in full compliance. 

So, if a covered entity does not have an Access Controls Manager or a Lead Systems Security Manager will CMS find this organization non-compliant?  I do not think so, as long as the entity can demonstrate that a specific individual is or specific individuals are ultimately responsible for making sure that all of the Security Rule’s safeguards are effectively implemented, being monitored and audited, and issues are being addressed as they come up.