The Centers for Medicare and Medicaid Services will begin on-site reviews of hospitals' compliance with security rules mandated by the Health Insurance Portability and Accountability Act of 1996.
CMS officials said at a workshop on HIPAA security yesterday that they expect to review 10 to 20 hospitals in the next nine months.
Until now, the agency has focused on outreach and education to promote compliance with the rules, said Tony Trenkle, director of CMS' Office of E-health Standards and Services. After the reviews, CMS will publish the results and the lessons learned about data security issues in organizations that have individuals' health information.
However, Trenkle said, CMS will not publicize the names of the organizations reviewed.
The first reviews will be at hospitals where CMS has received complaints about security practices. Trenkle said the agency also will begin with larger hospitals nationwide.
Before the reviews begin, he said, his office will post on its Web site a checklist of security practices and issues covered in the rules. Remote access to data and use of portable storage devices are among the issues that CMS will review.
CMS has contracted with PriceWaterhouseCoopers, an accounting and consulting firm, to help with the reviews, he said.
Trenkle said his staff is not sure what they will find, and the agency might need to modify the process as it progresses. "We're just beginning the process," he said. "We're going to see how this works."
Lorraine Doo, senior policy adviser at the Office of E-health Standards and Services, said CMS and its contractor will interview the compliance officer, security director, lead systems security manager and access controls manager at each hospital. Before each visit, the team will request documents such as the hospital's security risk assessment and its remote access policies.
Hospitals will be invited to comment on the team's findings before the results are final.
"We hope there won't be heinous findings" of gross neglect or intentional losses of data, Doo said. But if the review uncovers major lapses, the agency can fine a hospital or levy other punishments. However, she said, the office is assuming most health care providers want to comply with the rules.
Trenkle said his office wants to work with the industry and strike a balance between achieving information security and making sound business decisions. "This is not just the HIPAA police out there," he said.
CMS enforces the HIPAA security rules, while the Office for Civil Rights - another division of the Health and Human Services Department - enforces the privacy rules. When privacy and security are involved in a complaint, Trenkle said, "we work a dual process with the Office for Civil Rights."
Most HIPAA complaints arise from privacy rather than security, he said, and 70 percent of CMS' HIPAA security cases are referred from the Office for Civil Rights.