The CMS has hired the consulting firm of PricewaterhouseCoopers to perform a series of compliance reviews of hospitals regarding adherence to the security rule under the administrative simplification section of the Health Insurance Portability and Accountability Act of 1996.
The CMS was given the authority to enforce the security rule. The rule applies to HIPAA "covered entities," i.e., plans, providers and claims clearinghouses. The compliance deadline for most covered entities was April 20, 2005. Since then, the CMS has received more that 200 complaints about possible security rule violations.
Pricewaterhouse could be assigned between 10 and 20 facilities against which security complaints have been lodged, according to Karen Trudel, deputy director of electronic health standards and services at the CMS.
"Were not calling them audits, we're calling them compliance reviews," Trudel said. The reviews also will have an educational component, she said.
The amount of the contract or its duration were not immediately available. An official from Pricewaterhouse was unavailable for comment at deadline.
The contract comes at a time when security breaches are rampant in healthcare and other industries and when the Office of Inspector General at HHS is looking into how the CMS handles its enforcement duties regarding the HIPAA security rule.