The Centers for Medicare & Medicaid Services (CMS) began conducting compliance reviews of covered entities in January 2008.  Here we provide information about those reviews, and include sample findings and lessons learned.  Additional examples will be provided on a regular basis.  CMS has the authority to conduct compliance reviews of covered entities.  Under the organizational structure of CMS, the Office of E-Health Standards & Services (OESS) is responsible for the work, and reference to that office is made in these case examples.  To view the examples, see the link in the Downloads section below.

HIPAA Onsite Compliance Reviews 

The authority of CMS to investigate complaints, collect information and determine a covered entity's compliance is found at 45 CFR 160.300-160.316. These provisions require cooperation from covered entities, including, as deemed necessary, access to its facilities, records and other information during normal business hours, or at any time, without notice.

The Office of E-Health Standards and Services (OESS) within CMS will utilize contracted services to assist with onsite compliance reviews related to potential HIPAA Security Rule violations. Onsite reviews may be triggered by complaints alleging non-compliance, or from information such as media reports or self-reported incidents. 

A summary of the results of the "Compliance Reviews" conducted in 2008 can be downloaded below, please see the link in the "Downloads" section below.

A list of the type of information that might be requested in an onsite HIPAA Security investigation/compliance review is available for download from the link below; however, the document is not a comprehensive list of applicable investigation/review areas nor does it attempt to address all non-compliance scenarios. The individual circumstances of each applicable case will dictate the type of information that will be requested during an investigation or review. The document also serves to highlight several areas of vulnerability associated with the security of electronic protected health information, and may provide a starting point for evaluating or reevaluating an entity's general level of HIPAA Security Rule compliance.  To view the "Information Request for Onsite Compliance Reviews" document, see the link in the "Downloads" section below.

Downloads
HIPAA Compliance Review Summary [PDF, 203 KB] Compliance Review Examples Covered Health Care Providers [PDF, 70KB] Information Request For Onsite Compliance Reviews [PDF, 43KB]
Related Links Inside CMS
There are no Related Links Inside CMS
Related Links Outside CMS
There are no Related Links Outside CMS

Page Last Modified: 06/03/2009 8:55:42 AM
Help with File Formats and Plug-Ins