CMS has now posted a document entitled Sample - Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews. The document closely mirrors the information that surfaced after the Piedmont audit last year. What is also notable is that there are things in the information request document that are not addressed at all in the HIPAA Security Rule, such as wireless network usage, and "mechanisms to ensure the integrity of data during transmission - including portable media transmission (i.e. laptops, cell phones, blackberries, thumb drives)".  

HIPAA being one of the more mature compliance regulations, wireless access and the USB storage security concern were not yet common when the HIPAA Security Rule came into being.

Time will tell if we are seeing the start of "scope creep" in HIPAA security standards, as has been experienced with GLBA by financial organizations (where the FFIEC has added an enormous amount of detail further defining what affected institutions have to do to comply).

Also on the HIPAA enforcement front, as reported on Rebecca Herold's blog, a HIPAA violation was prosecuted in Oklahoma City. The individual prosecuted was convicted of providing personally identifiable health information to other individuals, apparently in an insider identity theft.

Jim