In an earlier post, I talked about the "new era of HIPAA Security Rule enforcement," which was heralded by public statements made by Tony Trenkle, the director of the Centers for Medicare & Medicaid Service ("CMS") Office of E-Health Standards and Services ("OES"). In February, OES posted additional information about the new HIPAA security enforcement initiatives on its website, and there were a few surprises.
First, Mr. Trenkle's initial statements indiciated that OES would focus its HIPAA security "investigations" on covered entities that had already been the subject of complaints of non-compliance submitted to CMS. Apparently, OES is going to being reviewing a broader range of entities. The OES website states, "Onsite investigations may be triggered by complaints alleging non-compliance, while onsite compliance reviews will typically arise from non-compliant related sources of information such as rmedia reports or self-reported incidents." This means that a HIPAA covered entity that has experienced a high-profile security breach can add "OES HIPAA security compliance review" to the list of bad things that could happen to them (right alongside "class action lawsuit" and "Attorney General enforcement action").
Second, the sample checklist that OES posted includes some items that are not strictly required by the HIPAA Security Rule. For example, the checklist indicates that OES may ask for a covered entity's vulnerability scanning plans and network penetration testing policy and procedure, along with the results from the most recent vulnerability scan and network penetration test. These measures are certainly consistent with reasonable data security practices, but they highlight that HIPAA covered entities should not focus exclusively on the standards and implementation specifications set forth in the Security Rule. CMS's mantra during the development of the Security Rule was that the measures were intended to reflect "reasonable" security practices. These new statements from OES should put covered entities that reasonable security is an ever-evolving standard and the letter of the Security Rule standards is only the beginning.