In a single sentence (at Section 13411 of The HITECH Act), the Secretary of HHS is mandated to “provide for periodic audits …” of compliance with the HIPAA Privacy and Security Final Rules.  The initial audits are underway.  Notification letters have been sent to the first 20 Covered Entities.  Many organizations have geared up their preparation.  Others are looking for a way to simply get started.   Here’s today’s big tip – Go to School on the CMS Compliance Reviews of 2008  …


HIPAA audit prep checklist | HIPAA Audit TipsAfter an OIG 2008 audit, CMS performed reviews of 10 covered entities to verify compliance with the Security Rule… Great insight into what to expect…

Although responsibility for Security Rule Enforcement shifted to OCR in 2009, there’s much to be learned from work CMS had done in 2008.  CMS performed reviews of ten Health Insurance Portability and Accountability Act of 1996 (HIPAA) Covered Entities (CEs) to verify compliance with “Security Standards for the Protection of Electronic Protected Health Information (ePHI),” found at 45 CFR Part 160 and Part 164, Subparts A and C, commonly known as the Security Rule.

The CMS reviews were based on complaints filed against entities, identification of potential Security Rule violations through the media, or recommendations from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

First we can learn from CMS’s particular focus for these reviews.  This focus included, but was not limited to, the following areas:

  • Risk analysis and management;
  • Security training;
  • Physical security of facilities and mobile devices;
  • Off-site access and use of ePHI from remote locations;
  • Storage of ePHI on portable devices and media;
  • Disposal of equipment containing ePHI;
  • Business associate agreements and contracts;
  • Data encryption;
  • Virus protection;
  • Technical safeguards in place to protect ePHI; and
  • Monitoring of access to ePHI

Equally if not more instructive is CMS’s analysis of the identified compliance issues with which Covered Entities appeared to have struggles the most to comply with the Security Rule. These areas included:

  1. 45 CFR 164.308(a)(1)(ii)(A) – Risk Analysis
  2. 45 CFR 164.308(a)(8) – Security Evaluation (Currency of Policies and Procedures)
  3. 45 CFR 164.308(a)(5) – Security Training
  4. 45 CFR 164.308(a)(3) – Workforce Clearance
  5. 45 CFR 164.310(c) – Workstation Security
  6. 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.312(e)(2)(ii)  -Encryption

You may wish to read the entire article entitle “HIPAA Compliance Review Analysis and Summary of Results“.  Enjoy!

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Audit Help– We Agree with Mr. Rodriguez – How to Prepare for HIPAA AuditsHIPAA Audit Tips – KPMG OCR Random Audit Documentation Request List >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.