Skip to main content

There's A New HIPAA Sheriff in Town

     The HIPAA Privacy Rule has been in effect since April 2003; the Security Rule went into effect April 2005. Since its implementation, the Office of Civil Rights (OCR) has been in charge of verifying that covered entities are in compliance with the Privacy Rule. The OCR is also responsible for responding to complaints of HIPAA violations, which is where it spends most of its time. During the past few years, the OCR has received about 24,000 complaints, but its response has usually been to assist the covered entity in fixing the problems that led to the HIPAA violation. Fewer than 400 cases have been referred to the Department of Justice (DoJ) for criminal action, and, of those, fewer than 50 have been accepted by the DoJ. There have been no civil monetary penalties assessed, yet, by the OCR.

     However, another group is now apparently stepping in to review healthcare providers' compliance with HIPAA. In March, the Office of Inspector General (OIG) gave notice to Piedmont Hospital in Atlanta that it was being "audited" for HIPAA Security Rule compliance. Of course, being audited for compliance does not mean that the hospital has done anything wrong. What it does mean is that the Medicare police are now apparently becoming the HIPAA police as well. Generally speaking, in the past, the OIG has focused its efforts on fraud and program abuse. This new foray into regulatory compliance is likely due to the limited resources of CMS to police policy issues, other than to use its chief enforcers, the OIG.

     This does not appear to be an isolated incident. The OIG seems poised to conduct similar audits with other healthcare providers; however, I doubt we will see a rash of these audits in the EMS industry any time soon. The OIG will likely focus on larger entities, at least at first. On the other hand, if the OIG is becoming familiar with HIPAA compliance, then it may add that to its bag of tricks when it conducts other investigations for issues such as fraud and abuse, which ambulance services are more likely to be involved in. (Remember that last year, the OIG released two reports on the ambulance industry, both finding that we have been on the receiving end of some significant "overpayments.")

Understanding the HIPAA Security Rule
     My main concern with this is that the Security Rule is not the Privacy Rule, and I am afraid that too many ambulance services do not appreciate the difference.

     The Privacy Rule came first, and many healthcare providers seem to think that if they are in compliance with the Privacy Rule, they are in compliance with HIPAA.

     Unfortunately, that is not the case. The Security Rule came along two years later, and it is much more complicated than the Privacy Rule.

     The Security Rule is broken into three parts: administrative safeguards, physical safeguards and technical safeguards. A better way to look at it is that there are literal lock-and-key safeguards (physical), electronic access and encryption safeguards (technical), and, for each one of those, there is a written policy on what is to be done and how (administrative safeguards). Then there are 27 sub-parts under the umbrella of the three main sections of the Security Rule. For each of the 27 "specifications," you must either implement a "required" security measure or conduct a risk analysis and determine what type of "addressable" security measure should be implemented, if any. And, of course, you must have written policies for each specification, as well as written documentation concerning your risk analysis for the addressable specifications (even the ones you do implement).

     If you understood everything in the preceding paragraph, and if it all sounded not only like something you did several years ago, but also like something you revisit and revise on a regular basis as required by changing circumstances and technological advances, then you are probably in good shape. On the other hand, if this all sounds less than familiar, you probably will not fare well if the OIG comes knocking!

     If you want help with HIPAA, look at the Security Rule guidance at, or post me questions at Questions or comments on this column, as well as ideas for new topics, can be sent to

G. Christopher Kelly is an attorney Practicing in Atlanta, GA. Chris focuses on federal laws and regulations as they relate to the healthcare industry and specifically to the ambulance industry. He also lectures and advises ambulance company clients across the U.S. Contact him at

Chris Kelly is a featured speaker at EMS EXPO, October 11-13, in Orlando, FL. For more information, visit

Back to Top