The CMS has hired New York-based consulting and auditing firm PricewaterhouseCoopers to perform compliance reviews at healthcare organizations, looking to see how well they meet their obligations to protect healthcare information under the Health Insurance Portability and Accountability Act of 1996.
The move creates the potential for a conflict of interest for Pricewaterhouse, which may find itself reviewing a healthcare organization that also is a client. Pricewaterhouse clients, meanwhile, may wonder if the company is also its CMS-anointed compliance reviewer.
Under terms of the one-year, $897,503 contract, Pricewaterhouse will be assigned to look at the security programs at 10 to 20 organizations, according to Karen Trudel, deputy director of electronic health standards and services at the CMS. The CMS has the authority to enforce the so-called HIPAA security rule, which became effective for most "covered entities," such as health plans, providers and claims clearinghouses, on April 21, 2005.
The CMS has received 378 complaints from individuals alleging security violations, according to an agency spokesman. Thus far, no healthcare organization has been fined for a HIPAA security violation.
Healthcare organizations targeted under the contract with Pricewaterhouse will be chosen from the complaints list, Trudel said. "We're not calling them audits; we're calling them compliance reviews," Trudel said. The reviews also will have an educational component, she said. While the final reports from those reviews will not identify individual organizations, they will be made public in a "de-identified" form as a learning tool for others, according to Trudel.
The CMS-Pricewaterhouse compliance program "is still in its infancy," Trudel said. No Pricewaterhouse review team has visited a healthcare organization yet, she said. The contract runs from Sept. 30, 2007, through Sept. 29, 2008.
Pricewaterhouse declined comment through a spokeswoman.
The contract comes as the Office of Inspector General at HHS has already embarked on a compliance audit of its own, focusing on how well the CMS is overseeing enforcement of HIPAA security provisions. According to inspector general spokesman Donald White, the final report of an initial audit conducted last year at an unnamed hospital has yet to be completed. Even when the report is done, while the inspector general will turn it over to the CMS, it will not be made public because it will contain "sensitive, proprietary information," White said.
According to published reports, 447-bed Piedmont Hospital in Atlanta was ground zero for the first inspector general audit effort. The inspector general's scope of work for fiscal 2008 suggests it will be doing more audits. It says the independent watchdog agency "will review CMS' oversight, implementation and enforcement" of the HIPAA security rule specifically to "determine whether the CMS has implemented controls to reasonably ensure that the HIPAA security rule achieves its intended results."
A Piedmont spokeswoman declined to comment about the inspector general's probe.
Lawrence Hughes, associate Washington counsel for the American Hospital Association, said the original inspector general effort at Piedmont "was very much focused on an attempt to see how CMS was serving as an enforcement authority." When word of the inspector general's audit surfaced last summer, the AHA urged members to take a second look at their security procedures, Hughes said.
One issue with the CMS contract is that Pricewaterhouse has a significant presence in auditing and management consulting in the healthcare industry. Given that there are penalty provisions for HIPAA security rule violations, how will the CMS handle organizations that are Pricewaterhouse clients?
"First of all, they're not making decisions," Trudel said. "They're doing only the groundwork and fact-finding. I would say, from the perspective of PWC, they would recuse themselves if there was an organization they do business with. We'd have to find another way to get the work done."
Lisa Gallagher, director of privacy and security for the Healthcare Information and Management Systems Society, said that, increasingly, security is on healthcare leaders radar.
"They're all very tuned in to the risk and are working very hard keeping up with all the things they need to do," she said.
This story initially appeared in this week's edition of Modern Healthcare magazine.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.