The Centers for Medicare & Medicaid Services (CMS) began conducting compliance reviews of covered entities in January 2008. These are in addition to the audits being conducted by PriceWaterhouseCoopers under contract. The CMS website (http://www.cms.hhs.gov/Enforcement/09_HIPAAComplianceReviewExamples.asp#TopOfPage) will have information about these reviews from time to time. The first one relates to the theft of a portable computer containing electronic protected health information.
Here's what CMS required as a plan of correction:
- Implementation of additional physical security measures for the areas affected by the lost laptop incident, to include 24 hour video surveillance and recording - Is this in all areas with computers?
- Development and implementation of policies and procedures to ensure daily notification to the Information Technology department of any user that has been terminated - This should be an exit interview or checklist item.
- Implementation of a process to verify that access privileges are assigned in a manner that is consistent with the employee's role within the organization - This one will wreak havoc on many organizations that have chosen to audit behind access, rather than limit access up front.
- Development and implementation of policies and procedures requiring laptops to be physically secured to the workstation where they are located - Locking docking stations and other devices are commonplace in electronics stores, and it looks like they will be commonplace in health care environments soon as well.
- Implementation of targeted information security training for all employees who use portable devices and media - CMS has already promulgated specific HIPAA Security Rule guidance that the industry should have been paying attention to long before now. Not surprisingly, many of the items listed in the plan of correction are found in this guidance. You can find it at http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp#TopOfPage.
A word to the wise should be sufficient.