Chat with us, powered by LiveChat

Data Security Audits Required For Covered Entities Involved With Medicaid Reimbursements

arizona mapUPDATED 3/9/2015

For those who are unaware, as of October 2013, the state of Arizona has joined forces with the federal Medicaid funding program to manage distribution of reimbursements. The Arizona Health Care Cost Containment System (AHCCCS) is the name of the Medicaid program in the state of Arizona. As with all Medicaid programs, this is a joint program between the state and the Centers for Medicare and Medicaid Services (CMS).

What this means, is any Covered Entities involved with Medicaid reimbursements, must use a third-party service to conduct a Data Security Audit.

As part of the AHCCCS Security Rule Compliance steps, Contractors must conduct a Data Security Audit then submit an AHCCCS Security Compliance Report to the Division of Healthcare Management (DHCM) for review and approval by June 1.  This security audit needs to be performed by an independent third party on an annual basis.

We at MCS believe this is for purposes of accountability and segregation of duties.  We use the most simple, automated and affordable cloud-based HIPAA Security Compliance and Risk Analysis solution called HIPAA One®.  HIPAA One® provides several benefits including preparing for an OCR/OIG audit, HIPAA Security Officer training checklist/interviews, and ongoing remediation planning with reporting.

We can help conduct the Data Security Audit and attest per the AHCCCS Contractor Operations Manual, Chapter 100 – Administration, fill out Attachment A:  AHCCCS Security Rule Compliance Summary Checklist as part of our service.  We are already covering these items as part of the 78 HIPAA Security Citations in the OCR Audit Protocol, OCR’s Guidance on HIPAA Security, and for Meaningful Use Stage 2 requirements.

HIPAA One® can help – please contact us at 801-770-1199, email at, or visit us at for more information.

UPDATED 3/9/2015

MCS has just received word from AHCCCS in response to a 2015 guidance request:

Every standard should be reviewed every year.  We do the exact same thing ourselves.  Even those that were identified as the compliant ones should be reviewed to make sure there haven’t been any changes and they are still compliant…

You can find the updated Policy 108 compliance guidance here, that states theaudit needs to be done every year, and must be submitted using third-party attestation by June 1st:


In Audit and Security circles, this is a Security Risk Analysis update, which entails performing a full risk analysis on items that have changed and re-validating compliant items.

Using HIPAA One®, an update is significantly “easier” than last year’s full SRA because we can import last year’s work, including remediation updates, directly into this year’s interview questions.  This greatly reduces the effort needed on the user’s side because the survey questions are already pre-filled including attachments proving compliance/functional controls.  For those who need a full SRA report that has proven compliance for other AHCCCS Contractors, Modern Compliance Solutions can provide the third-party attestation with full documentation in HIPAA One®.

For more information, contact your AHCCCS representative, or us at

Speak Your Mind