Atlantic Information Service's "Health Business Daily" for today includes an update on the CMS reviews previously mentioned in this post.
Officials from the CMS Office of E-Health Standards and Services intend to visit covered entities (CEs) "for the foreseeable" future to ensure they are complying with the security rule, the director of the office, Tony Trenkle, tells RPP.Trenkle says the visits, of which there will be 10 to 20 between now and September, are being considered "compliance reviews" rather than audits. However, entities found to have committed violations could be subject to fines, corrective action plans and other enforcement actions.
Importantly, CMS clarified that, contrary to prior reports, the upcoming reviews will not be limited only to hospitals and, also, that the reviews are not "audits":
Trenkle first spoke of the initiative at a HIPAA security compliance workshop co-sponsored by CMS and the National Institute of Standards and Security held outside Washington, D.C., on Jan. 16. But he tells RPP that his comments were misconstrued by those who thought he was referring to hospitals only and to Piedmont-type audits. It was also reported that large hospitals are a focus, but Trenkle denies saying so.. . .
The targeted entities for the CMS reviews are those for which CMS has already investigated a security complaint, says Trenkle. "These are not audits. They are not random," he says.
CMS calls these organizations "filed against entities," or FAEs, says Lorraine Tunis Doo, the senior policy advisor in Trenkle's office, who also spoke with RPP.
As of December 2007, CMS had received a total of 283 security complaints and had closed 191. The majority of security complaints are allegations of "inappropriate access and risk of inappropriate disclosure," Trenkle says.
Finally, CMS provides some detail in to the substance of the review:
The reviews will re-examine efforts entities took to address the initial complaint that brought them to CMS's attention, as well as take a global look at all of the entities' security practices to identify possible compliance failures.Some entities have been asked to have a corrective action in place as a result of violations, Doo says. The reviewers will determine if the plan was implemented correctly.
In addition, they will focus on a checklist of general security rule requirements. CMS intends to post the checklist on its Web site within the next month, Trenkle says, to give entities a heads up. It also is meant to help educate the health care community about where to focus their security compliance efforts.
Read the full AIS article here.