Gee, ya think this is a conflict of interest? Well, considering PwC provides compliance services to "all organisations engaged in activities that come under the control of a regulator" it is indeed!

Let's see...if I'm a covered entity (CE) under HIPAA and I want to make sure my information security and privacy program is in compliance with HIPAA, who would be good to help me build the program? Why, the same entity that audits for compliance, of course! [Yes, this is a facetious statement.]

But think about it. If PwC created the information security and privacy program at Company X, and then CMS determined, because of complaints they had received about Company X, that they should be audited, what is to stop PwC from doing the audit? How likely is it that PwC would give the program they built a failing audit report? Hopefully there will be controls in place to prevent this.

"Oh, but the business area of PwC doing the audit would not be the same as the business area that created the information security program!"

I can just hear that argument being made now.

However, if the PwC name is on the program, then it doesn't really matter whether or not a different area is doing the audit if their name is also PwC, does it?

If a shoplifter's right hand snatches jewelry in a store is his left hand innocent? (I know...it's not the greatest analogy in the world for this...tell me one better!)

I got my auditing credentials in 1990, and separation of duties is a very significant requirement for effective, noncompromised controls, but was always a topic of hot debate within the really large shops that wanted to do all types of services. The public accounting firms were always trying to find ways to justify having their firms not only creating programs for their clients, but also performing the compliance reviews.

This is already a done deal; the contract CMS has with PwC started on September 30, 2007, and runs through September 29, 2008, when it is up for renewal.

On the plus side it is a very good thing that the CMS is finally getting serious (so it seems) about HIPAA compliance enforcement. They have yet to apply any HIPAA penalties or fines even though they have received hundreds of HIPAA non-compliance complaints. From many calls I've made over the past few years to the OCR and CMS compliance offices, I know they do not have the personnel available, or with the compliance review experience and skills, to really be effective in performing a HIPAA compliance review/audit.

However, it is a very huge minus side to have the same organization that created a security and compliance program for a CE to also perform a compliance review for that same CE program.

If the CMS wants to be effective, they should hire two organizations to do the audits, then establish a contractual restriction that would not allow a the audit company to perform a HIPAA compliance review for a company that is, or has been, a client. Wouldn't that be interesting to see the results of a E&Y audit for a security program created by PwC? :)

Oh, I was also interested to see an update to the very first CMS instigated HIPAA audit I blogged about in mid-2007:

"According to inspector general spokesman Donald White, the final report of an initial audit conducted last year at an unnamed hospital has yet to be completed. Even when the report is done, while the inspector general will turn it over to the CMS, it will not be made public because it will contain "sensitive, proprietary information," White said."

Funny they say "unnamed hospital" when it was all over the press that it was Atlanta's Piedmont Hospital.

The amount of time it is taking to complete the Piedmont Hospital audit and report points to the likely inexperience of the auditors involved, or lack of time available for them to do the audit, which makes it clear why CMS is contracting others to perform the HIPAA compliance reviews.

It makes sense that the detailed report would not be made public. However, it is reasonable that a summary of the findings are made available; the CMS owes it to the patients of the hospital to let them know how secure their healh care provider really is.