The New Era of HIPAA Security Rule Enforcement

June 24, 2011
Many industry observers took great interest in the Department of Health and Human Services (HHS) Office of Inspector General's (OIG) HIPAA security
Many industry observers took great interest in the Department of Health and Human Services (HHS) Office of Inspector General's (OIG) HIPAA security compliance audit of Piedmont Hospital in Atlanta last year. Â The Piedmont Hospital audit was noteworthy for two reasons. Â First, it was apparently the first HIPAA security compliance audit. Â Second, it was surprising to many that the audit was being conducted by OIG, rather than the CMS Office of E-Health Standards and Services, the HHS office with primary responsibility for HIPAA Security Rule compliance. Â Now it appears that CMS is getting underway with its own security compliance program. In the February issue of Report on Patient Privacy, Tony Trenkle, the director of the CMS office, comments on CMS's intention to conduct compliance reviews of covered entities "for the foreseeable future." Trenkle first spoke of the initiative at a HIPAA security compliance workshop hosted by CMS and the National Institute of Standards and Security on January 16 outside Washington, D.C. Trenkle says that 10-20 compliance reviews will be commenced between now and September, with the assistance of contracted vendors PricewaterhouseCoopers. Â Organizations that will be targeted for review will be entities that have already been investigated for a HIPAA security complaint ("filed against entities" or "FAEs"). Â CMS intends to post a security compliance checklist on its website within the next month to assist covered entities in preparing for the reviews. It will be particularly interesting to see how CMS chooses to interpret noncompliance with the broad, flexible Security Rule standards. Â To what extent will CMS accept an organization's security risk assessment, and the measures that arose from that assessment, at face value? Â How will CMS view an organization that has implemented reasonable security measures, but hasn't conducted a proper risk assessment to support those decisions? In short, it appears that the era of HIPAA security compliance enforcement has begun. Â Nearly three years after the Security Rule compliance date, no one can say that they didn't have time to prepare. Â

Sponsored Recommendations

Going Beyond the Smart Room: Empowering Nursing & Clinical Staff with Ambient Technology, Observation, and Documentation

Discover how ambient AI technology is revolutionizing nursing workflows and empowering clinical staff at scale. Learn about how Orlando Health implemented innovative strategies...

Enabling efficiencies in patient care and healthcare operations

Labor shortages. Burnout. Gaps in access to care. The healthcare industry has rising patient, caregiver and stakeholder expectations around customer experiences, increasing the...

Findings on the Healthcare Industry’s Lag to Adopt Technologies to Improve Data Management and Patient Care

Join us for this April 30th webinar to learn about 2024's State of the Market Report: New Challenges in Health Data Management.

Findings on the Healthcare Industry’s Lag to Adopt Technologies to Improve Data Management and Patient Care

2024's State of the Market Report: New Challenges in Health Data Management