HIPAA Security Rule Investigations: CMS Casts A Wider Net

June 24, 2011
In an earlier post, I talked about the "new era of HIPAA Security Rule enforcement," which was heralded by public statements made by Tony Trenkle,

In an earlier post, I talked about the "new era of HIPAA Security Rule enforcement," which was heralded by public statements made by Tony Trenkle, the director of the Centers for Medicare & Medicaid Service ("CMS") Office of E-Health Standards and Services ("OES"). In February, OES posted additional information about the new HIPAA security enforcement initiatives on its website, and there were a few surprises.

First, Mr. Trenkle's initial statements indiciated that OES would focus its HIPAA security "investigations" on covered entities that had already been the subject of complaints of non-compliance submitted to CMS. Apparently, OES is going to being reviewing a broader range of entities. The OES website states, "Onsite investigations may be triggered by complaints alleging non-compliance, while onsite compliance reviews will typically arise from non-compliant related sources of information such as rmedia reports or self-reported incidents." This means that a HIPAA covered entity that has experienced a high-profile security breach can add "OES HIPAA security compliance review" to the list of bad things that could happen to them (right alongside "class action lawsuit" and "Attorney General enforcement action").

Second, the sample checklist that OES posted includes some items that are not strictly required by the HIPAA Security Rule. For example, the checklist indicates that OES may ask for a covered entity's vulnerability scanning plans and network penetration testing policy and procedure, along with the results from the most recent vulnerability scan and network penetration test. These measures are certainly consistent with reasonable data security practices, but they highlight that HIPAA covered entities should not focus exclusively on the standards and implementation specifications set forth in the Security Rule. CMS's mantra during the development of the Security Rule was that the measures were intended to reflect "reasonable" security practices. These new statements from OES should put covered entities that reasonable security is an ever-evolving standard and the letter of the Security Rule standards is only the beginning.

Sponsored Recommendations

Going Beyond the Smart Room: Empowering Nursing & Clinical Staff with Ambient Technology, Observation, and Documentation

Discover how ambient AI technology is revolutionizing nursing workflows and empowering clinical staff at scale. Learn about how Orlando Health implemented innovative strategies...

Enabling efficiencies in patient care and healthcare operations

Labor shortages. Burnout. Gaps in access to care. The healthcare industry has rising patient, caregiver and stakeholder expectations around customer experiences, increasing the...

Findings on the Healthcare Industry’s Lag to Adopt Technologies to Improve Data Management and Patient Care

Join us for this April 30th webinar to learn about 2024's State of the Market Report: New Challenges in Health Data Management.

Findings on the Healthcare Industry’s Lag to Adopt Technologies to Improve Data Management and Patient Care

2024's State of the Market Report: New Challenges in Health Data Management