Close Server: KOPWWW05 | Not logged in


Are OIG Security Audits Underway?

Whatever the OIG Work Plan says, you can believe it will happen sooner or later.

The Office of Inspector General's 2007 Work Plan states that the OIG will "review the experience with [HIPAA] administrative simplification privacy and security implementation in Medicare and Medicaid to identify key issues that may be relevant to [DHHS's] HIT initiative." The initiative "has a primary objective of fostering the use of electronic medical records throughout the health industry to promote economy and efficiency in the delivery of health services and to enhance patient safety."

Last March, Piedmont Hospital, a 458-bed, acute tertiary care facility in Atlanta, earned the dubious distinction of being the first facility subject to scrutiny since HIPAA's security rules went into effect in April 2005. Few details came out and an official report has yet to be published but various leaks indicated that the audit, initially scheduled for a few weeks stretched into months and the auditors requested information about 42 items regarding safeguards, access and assessment, monitoring and sanctions. The sketchy details leave the rest of the health care industry with little to go on when it comes to criteria for more security audits and the next targets.

With this audit under its belt, many in the health care industry believe it's a harbinger of things to come. But, until reports on more audits surface, health care facilities probably won't feel the need to address their own security policies and procedures.

Get Ready
It's been easy to tread lightly with some areas of HIPAA. After all, the rules were purposely made ambiguous and relatively easy to comply with to help ease the health care industry into the privacy era. It seems, however, that now is time to take a closer look.

To prepare, health care facilities should ensure that appropriate policies and procedures are in place to explain how it will protect protected health information (PHI), what it will do if PHI is compromised, and what protocols are in place to rectify the situation in the event of a federal investigation. It took years for the final HIPAA regulations to come out so chances are good that there are numerous ineffective, incomplete or out-of-date policies and procedures. Draft policies may have been written but they weren't necessarily updated to meet the final regulations.

Those policies and procedures also need to be distributed to appropriate staff members. Remember that your compliance program must be an active effort, not just a manual that collects dust on a shelf. Audit programs should be reviewed for effectiveness and be scheduled on a regular basis.

Part of a good security compliance program includes regular assessments of potential risks, from within the organization or from outside business associates and trading partners. A risk analysis can be conducted internally or through an outside consulting firm.

One major risk is disaster recovery. All organizations should have an emergency preparedness plan that is regularly updated and tested.

Staff training should be an essential part of your compliance plan. It's easy to move it to the back burner because most health care facilities already are short-staffed and overburdened. But, staff training should include materials for new employees and updates for all staff when policies and procedures are updated. Don't consider your training efforts as a one-time event but an ongoing effort.

Stay Ready
It would be easy to put this off until there are more audits and resulting reports but there's no way to tell if your facility is the next OIG target. Plus, the 2008 OIG Work Plan clearly indicates that these efforts will continue: "We will review CMS' oversight, implementation and enforcement of the regulation implementing security standards ... we will determine whether CMS has implemented controls to reasonably ensure that the HIPAA Security Rule achieves its intended results."

There are numerous resources to help with HIPAA plans and preparedness. Following are links to a few of the organizations that can help you ensure compliance at your facility:

 HIPAA security standard Web site:  

 CMS general HIPAA resource site: -

 OIG's report on HIPAA readiness: 

 Phoenix Health System's HIPAAAction Web site:

 Hall, Render, Killian, Heath & Lyman law firm's Knowledge Center:§ion=library

Beth Walsh is a writer/editor focusing on HIT.

Articles Archives

On-going theft by Medicare contractors as claims are altered after being sent in. Every patient with multiple phony numbers created. Contact me for more info, or I have been blogging daily at Washington post. com. LindaJoyAdams page. I am out under Federal worker's comp jurisdiction. In OK currently.

Linda Joy Adams,  SSA rep,  Field officeApril 29, 2009
Cherry Hill, , NJ


Email: *

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First * Last
Title Field Facility
City State

Comments: *
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Fields marked with an * are required.

View New Jobs, Events and More


Back to Top

© 2017 ADVANCE Healthcare, an Elite CE company