skip to content
HIPAA Security Audits

HIPAA Security Audits

Legal HIMformation
(September 2008)

The Centers for Medicare & Medicaid Services (CMS) began conducting compliance reviews of covered entities in January 2008.  These are in addition to the audits being conducted by PriceWaterhouseCoopers under contract.  The CMS website ( will have information about these reviews from time to time.  The first one relates to the theft of a portable computer containing electronic protected health information.

Here's what CMS required as a plan of correction:

  • Implementation of additional physical security measures for the areas affected by the lost laptop incident, to include 24 hour video surveillance and recording - Is this in all areas with computers?
  • Development and implementation of policies and procedures to ensure daily notification to the Information Technology department of any user that has been terminated - This should be an exit interview or checklist item.
  • Implementation of a process to verify that access privileges are assigned in a manner that is consistent with the employee's role within the organization - This one will wreak havoc on many organizations that have chosen to audit behind access, rather than limit access up front.
  • Development and implementation of policies and procedures requiring laptops to be physically secured to the workstation where they are located - Locking docking stations and other devices are commonplace in electronics stores, and it looks like they will be commonplace in health care environments soon as well.
  • Implementation of targeted information security training for all employees who use portable devices and media - CMS has already promulgated specific HIPAA Security Rule guidance that the industry should have been paying attention to long before now. Not surprisingly, many of the items listed in the plan of correction are found in this guidance. You can find it at

A word to the wise should be sufficient.

Associated Industries

Each of our lawyer's e-mail address is provided with his or her biography. If you are not a current client of our firm, you should not e-mail our lawyers with any confidential information or any information about a specific legal matter, given that our firm may presently represent persons or companies who have interests that are adverse to you. If you are not a current client and you e-mail any lawyer in our firm, you do so without any expectation of confidentiality. We will not establish a professional relationship with you via e-mail. Instead, you should contact our firm by telephone so that we can determine whether we are in a position to consult with you about any legal matters before you share any confidential or sensitive information with us.