Last week I blogged about how the CMS had contracted with PwC to perform HIPAA audits between September 2007 - September 2008.

The article indicates PwC will "help with the reviews."

Perhaps the PwC auditors will provide some on-the-job training to the CMS auditors so they can eventually start doing the HIPAA audits themselves.

According to the Government Health IT article

"Until now, the agency has focused on outreach and education to promote compliance with the rules, said Tony Trenkle, director of CMS’ Office of E-health Standards and Services. After the reviews, CMS will publish the results and the lessons learned about data security issues in organizations that have individuals’ health information. However, Trenkle said, CMS will not publicize the names of the organizations reviewed."

Hmm...

I can certainly see reasons for not publishing the names of the organizations *IF* the results of the audits would put the patients at risk. However, until we see what the CMS will actually report...and how long it takes them to report the results following the actual results of the audit...it cannot be determined if this will be reasonable or not.

I certainly don't want to see patients and their personally identifiable information (PII) put at risk by the CMS providing too much information from the audits to the public. However, on the other hand I think the public should be aware if the hospital they go to has poor security and privacy practices so that they can do whatever they can, and ask the questions they need to ask their doctors and nurses, to help protect their privacy and secure their PII.

If the regulatory oversight agencies won't strongly enforce security and privacy laws, then the public must be sure to ask their medical providers what they are doing to protect their privacy and secure their PII, and then hold them to it.