Earlier this year, CMS announced that it will begin conducting onsite reviews and investigations to determine compliance with the HIPAA security rules (not the privacy rules, which are enforced separately by the Office of Civil Rights).

CMS’s Office of E-Health Standards and Services will oversee these onsite investigations and onsite compliance reviews. CMS states that “Onsite investigations may be triggered by complaints alleging non-compliance, while onsite compliance reviews will typically arise from non-complaint related sources of information such as media reports or self-reported incidents.” Violations are subject to penalties, but CMS also intends for the process to be educational and will publicize limited results to share lessons learned.

More recently, CMS published a sample list of information that might be requested in an onsite investigation or onsite compliance review. While each investigation/review will be specifically tailored, CMS states that this sample list “serves to highlight several areas of vulnerability associated with the security of electronic protected health information, and may provide a starting point for evaluating or reevaluating an entity's general level of HIPAA Security Rule compliance.”

CMS has contracted with PriceWaterhouseCoopers to conduct these investigations/reviews in 2008. CMS has indicated that the investigations/reviews will continue for the foreseeable future as CMS gauges how the industry responds.