|
The Centers for Medicare & Medicaid Services (CMS) began conducting compliance reviews of covered entities in January 2008. Here we provide information about those reviews, and include sample findings and lessons learned. Additional examples will be provided on a regular basis. CMS has the authority to conduct compliance reviews of covered entities. Under the organizational structure of CMS, the Office of E-Health Standards & Services (OESS) is responsible for the work, and reference to that office is made in these case examples. Compliance Review Related to Loss of Portable Device Reason for review: Loss of laptop containing electronic protected health information (EPHI) Type of entity reviewed: Hospital In 2007, CMS (and therefore OESS) received a complaint against a hospital related to a lost laptop that contained the electronic protected health information (EPHI) of several thousand patients. The hospital cooperated in investigating and resolving the complaint in an efficient manner. After closure of the case, OESS decided to conduct an onsite compliance review to assess the organization's overall compliance with the Security Rule. As part of this review, OESS placed particular emphasis on evaluating the policies and procedures related to offsite access and use of EPHI from remote locations or for the storing of EPHI on portable devices or media. The Compliance Officer of the hospital verified that immediately after receiving notification of the complaint about the laptop loss, an inventory of all portable devices and media used by its workforce members was compiled and is routinely updated. In addition, the organization updated policies and procedures to verify that employees who used such devices with EPHI on them were knowledgeable about their responsibilities to keep it secure. During the compliance review, pertinent IT and administrative staff were interviewed extensively. Documents, including the corrective action plan specific to the complaint, the risk assessment and risk management plan, as well as security policies and procedures were reviewed. The on-site compliance review identified other vulnerabilities and risks for the hospital, which included a lack of certain policies and procedures – for example, a policy and related procedures requiring a regular review to verify that workforce members have the appropriate level of systems access privileges necessary for their role within the organization. The review also revealed that the hospital had delays in the process for terminating access privileges for individuals no longer employed by the organization. Following the review, the hospital developed a corrective action plan which included specific actions and a schedule for completion. Highlights from the initial corrective action plan, and the one following the compliance review are provided here: • Implementation of additional physical security measures for the areas affected by the (lost laptop) incident to include 24 hour video surveillance and recording; • Development and deployment of policies and procedures to ensure daily notification to the Information Technology department of any user that had been terminated; • Implementation of a process to verify that access privileges are assigned in a manner that is consistent with the employee's role within the organization; • Development and deployment of policies and procedures requiring laptops to be physically secured to the workstation where they are located and; • Implementation of targeted information security training for all employees who use portable devices and media. CMS determined that the corrective action plan, when fully implemented, would satisfactorily resolve the compliance issues underlying the complaint and those identified during the on-site review. CMS will monitor the plan for six months, at which time all actions are expected to be complete. HIPAA Onsite Compliance Reviews and Investigations The authority of CMS to investigate complaints, collect information and determine a covered entity's compliance is found at 45 CFR 160.300-160.316. These provisions require cooperation from covered entities, including, as deemed necessary, access to its facilities, records and other information during normal business hours, or at any time, without notice. The Office of E-Health Standards and Services (OESS) within CMS will utilize contracted services to assist with onsite investigations and onsite compliance reviews related to potential HIPAA Security Rule violations. Onsite investigations may be triggered by complaints alleging non-compliance, while onsite compliance reviews will typically arise from non-complaint related sources of information such as media reports or self-reported incidents. OESS will exercise its discretion to determine whether or not an onsite investigation or onsite compliance review is warranted on a case-by-case basis. A list of the type of information that might be requested in an onsite HIPAA Security investigation/compliance review is available for download from the link below; however, the document is not a comprehensive list of applicable investigation/review areas nor does it attempt to address all non-compliance scenarios. The individual circumstances of each applicable case will dictate the type of information that will be requested during an investigation or review. The document also serves to highlight several areas of vulnerability associated with the security of electronic protected health information, and may provide a starting point for evaluating or reevaluating an entity's general level of HIPAA Security Rule compliance. To view the "Information Request for Onsite Compliance Reviews" document, see the link in the "Downloads" section below.
Page Last Modified: 09/04/2008 5:18:04 PM
Help with File Formats and Plug-Ins
Submit Feedback
|
Email
Print