The Centers for Medicare and Medicaid Services (CMS) will begin on-site reviews of hospitals’ compliance with security rules mandated by HIPAA, established in 1996.
CMS officials said that they plan to review 10 to 20 hospitals in the next nine months.
Until this point, the agency has focused on outreach and education to promote compliance with the rules, said Tony Trenkle, director of CMS’ office of eHealth Standards and Services. After the reviews, CMS will publish the results and the lessons learned about data security issues in organizations that have individuals’ health information.
Trenkle also said that CMS will not publicize the names of the organizations reviewed.
The first reviews will take place at hospitals where CMS has received complaints about security practices. Trenkle said the agency will also conduct reviews at larger hospitals across the United States.
Before the reviews begin, he said that his office will post a checklist of security practices and issues covered in the rules on its website. Remote access to data and use of portable storage devices are among the issues that CMS will review, according to Trenkle.
CMS has contracted with PriceWaterhouseCoopers to help with the reviews, he said.
Trenkle said his staff is not sure what they will find, and the agency might need to modify the process as it progresses. “We’re just beginning the process. We’re going to see how this works,” he said.
CMS enforces the HIPAA security rules, while the Office for Civil Rights, another Health and Human Services Department division, enforces the privacy rules. When privacy and security are involved in a complaint, Trenkle said, “we work a dual process with the Office for Civil Rights.”
He said that most HIPAA complaints arise from privacy rather than security and 70 percent of CMS’ HIPAA security cases are referred from the Office for Civil Rights.