Home > Legal Updates >

HIPAA Enforcement Update: CMS Issues Guidance on HIPAA Security Rule Compliance Review

To assist Health Insurance Portability and Accountability Act (HIPAA) covered entities prepare for enforcement of potential HIPAA Security Rule violations, on February 20, 2008, the Office of E-Health Standards and Services (OESS) provided guidance on the type of information that might be requested during an onsite investigation. The OESS is an office within the Centers for Medicare & Medicaid Services (CMS) of the Department of Health & Human Services. The OESS document called "Sample - Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews" lists (1) the persons who may be interviewed and (2) the documents and other information that may be requested.

OESS had procured contracted services to assist with onsite compliance reviews of potential HIPAA Security Rule violations. The OESS checklist is intended to ensure that HIPAA covered entities know the type of information OESS might request during these reviews. However, the checklist is not a comprehensive list of applicable investigation/review areas nor does it attempt to address all non-compliance scenarios. The agency advises that the individual circumstances of each case will dictate the type of information that will be requested during an investigation or review.

The law grants authority to CMS to investigate complaints, collect information and determine a covered entity's compliance. (45 CFR 160.300-160.316.) These provisions require cooperation from covered entities, including, as deemed necessary, access to facilities, records and other information during normal business hours, or at any time, without notice. OESS will utilize contracted services to assist with onsite investigations and onsite compliance reviews related to potential HIPAA Security Rule violations. Onsite investigations may be triggered by complaints alleging non-compliance, while onsite compliance reviews will typically arise from noncomplaint- related sources of information, such as media reports or self-reported incidents. OESS will exercise its discretion to determine on a case-by-case basis whether or not an onsite investigation or onsite compliance review is warranted.

This action by the agency may signal an imminent increase in enforcement. Accordingly, covered entities should take this opportunity to dust off their HIPAA policies, review privacy and security practices, and provide effective HIPAA refresher training to all workforce members, as appropriate. The checklist may provide a starting point for evaluating or reevaluating an entity's general level of HIPAA Security Rule compliance. Additionally, since efforts to protect personal information show no sign of slowing, all businesses, whether covered by HIPAA or not, need to develop a comprehensive strategy for protecting personal information in order to comply with emerging state laws.

Related Links

California Expands Data Breach Notification Requirements to Include Medical and Health Insurance Inf Important Reminder for New York Employers: Focus on Employee Privacy and Data Security Massachusetts Identity Theft Law Creates Data Breach Notification, Protection and Destruction Requir N.Y. Appeals Court Okays Punitive Damages For Unintentional Data Breaches Oregon and Washington Employers Face Enhanced Data Privacy and Security Obligations Sample - Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Revi [43 KB]