The New Era of HIPAA Security Rule Enforcement

June 24, 2011
Many industry observers took great interest in the Department of Health and Human Services (HHS) Office of Inspector General's (OIG) HIPAA security
Many industry observers took great interest in the Department of Health and Human Services (HHS) Office of Inspector General's (OIG) HIPAA security compliance audit of Piedmont Hospital in Atlanta last year. Â The Piedmont Hospital audit was noteworthy for two reasons. Â First, it was apparently the first HIPAA security compliance audit. Â Second, it was surprising to many that the audit was being conducted by OIG, rather than the CMS Office of E-Health Standards and Services, the HHS office with primary responsibility for HIPAA Security Rule compliance. Â Now it appears that CMS is getting underway with its own security compliance program. In the February issue of Report on Patient Privacy, Tony Trenkle, the director of the CMS office, comments on CMS's intention to conduct compliance reviews of covered entities "for the foreseeable future." Trenkle first spoke of the initiative at a HIPAA security compliance workshop hosted by CMS and the National Institute of Standards and Security on January 16 outside Washington, D.C. Trenkle says that 10-20 compliance reviews will be commenced between now and September, with the assistance of contracted vendors PricewaterhouseCoopers. Â Organizations that will be targeted for review will be entities that have already been investigated for a HIPAA security complaint ("filed against entities" or "FAEs"). Â CMS intends to post a security compliance checklist on its website within the next month to assist covered entities in preparing for the reviews. It will be particularly interesting to see how CMS chooses to interpret noncompliance with the broad, flexible Security Rule standards. Â To what extent will CMS accept an organization's security risk assessment, and the measures that arose from that assessment, at face value? Â How will CMS view an organization that has implemented reasonable security measures, but hasn't conducted a proper risk assessment to support those decisions? In short, it appears that the era of HIPAA security compliance enforcement has begun. Â Nearly three years after the Security Rule compliance date, no one can say that they didn't have time to prepare. Â

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?