CMS Expands HIPAA Security Enforcement Efforts

January 08, 2008

The Centers for Medicare and Medicaid Services (“CMS”) recently announced enhancements to its enforcement efforts for the HIPAA Security Rule. CMS has hired PricewaterhouseCoopers (“PWC”) to conduct a series of HIPAA security compliance reviews of organizations against which security complaints have been lodged. The PWC compliance reviews are intended to have an educational component and will supplement random audits, not driven by complaints, conducted by the Department of Health and Human Services Office of Inspector General (“OIG”). Recently the OIG conducted an audit of Piedmont Healthcare, Inc. in Atlanta, and we understand that other “random” audits are planned.

As you are likely aware, the HIPAA security standards, implemented in April 2005, require covered entities to perform periodic review and reevaluation of security safeguards to establish the extent to which the entity’s security policies and procedures continue to meet the HIPAA requirements. The evaluations are based initially upon the standards implemented under the security rule, and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information. Health care providers and health plans who have not recently reviewed or reevaluated their risk analyses, security measures, and policies and procedures documenting these measures should consider doing so as soon as possible.

Up-to-date security measures and documentation of such measures will help protect providers and health plans from liability, and will likely be of great assistance when a provider or a plan faces a compliance review or audit. Given how ubiquitous security breaches have become, hospitals and health plans should especially consider reviewing their procedures for responding to breaches so that they can respond promptly and comprehensively to an alleged breach, regardless of whether a patient or plan member complains to CMS. Careful attention also should be paid to risk management strategies relating to remote access, storage, and transmission of electronic protected health information. 

Dechert has the expertise to assist both health care providers and employer health plans in reviewing and conducting risk analyses, as well as reviewing policies and procedures. If you would to discuss your HIPAA compliance strategy, please call the Dechert attorney with whom you regularly work or any of the attorneys listed.

View PDF version of this OnPoint.

Subscribe to Dechert Updates