Compliance
CMS Audits: Now More Crucial Than Ever
The healthcare sector sits “comfortably” at #2 among all industry sectors when it comes to confirmed data breaches, and the heat is only turning up. Ransomware, supply chain exploits, AI-powered phishing, and other threats are lurking like invasive pythons in the Florida Everglades. As far as large data breaches reported to the Office for Civil Rights (OCR) go, nearly 30 million records were affected in the first half of 2025 alone. Several reported breaches have surpassed the 1 million mark in records affected.
What’s at Stake in a CMS Audit?
While some in the healthcare sector may opine that breaches are a matter of when instead of if, there are certainly proactive measures that can be taken to minimize the likelihood of a breach or security incident. This is where independent audits become paramount for organizations subject to the Center for Medicare & Medicaid Services (CMS) requirements. In an era where digital transformation is reshaping healthcare, regulatory compliance isn’t just a legal obligation, it’s a strategic imperative as part of maintaining data integrity that is critical in the course of patient care. For healthcare executives and IT directors, ensuring readiness for CMS audits is critical to maintaining funding, safeguarding patient trust, and protecting operational continuity. This is precisely where an independent audit from Coalfire’s Healthcare GRC team can pay off.
CMS audits assess your organization’s ability to meet federal requirements for data security, privacy, and program integrity. These audits scrutinize:
- The ARC-AMPE (Acceptable Risk Controls for Affordable Care Act, Medicaid, and Partner Entities) security and privacy framework.
- ARC-AMPE has now replaced the MARS-E, Enhanced Direct Enrollment (EDE), and Direct Enrollment (DE) requirements with updated security and privacy safeguards.
- Authority to Connect (ATC) or Authority to Operate (ATO) compliance
- HIPAA and HITECH compliance
- Risk assessments and mitigation plans
- Access controls and identity management
- Incident response and breach notification protocols
- Comprehensive administrative, technical, and physical security controls
- User experience (UX) eligibility determination (Section 508 accessibility compliance)
An independent audit through Healthcare GRC can identify risks or process gaps to be remediated, which can ensure regulatory compliance and avoid the possibility of financial penalties, reputational damage, or even suspension from CMS programs.
Why Healthcare GRC Is a Strategic Partner for Healthcare and IT Leaders
Executive-Level Risk Visibility - Healthcare GRC provides healthcare and IT leadership with clear, actionable insights into compliance gaps and cybersecurity risks. Reports translate technical findings into business impact, helping executives make informed decisions.
Audit-Ready Documentation - CMS demands rigorous documentation. Healthcare GRC helps teams prepare evidence aligning with federal expectations, reducing the burden on internal staff, and increasing audit success rates.
Accelerated Remediation - Time is money in healthcare. Healthcare GRC’s experts offer prioritized remediation plans that align with your organization’s risk tolerance and operational realities so you can act quickly.
Board-Level Confidence - Engaging a respected third-party firm signals to your board, regulators, and partners that your organization takes security, privacy, and compliance seriously. It’s a proactive move that builds trust and resilience.
Futureproofing Your Infrastructure - CMS regulations are evolving. Healthcare GRC offers ongoing advisory services to help leaders stay ahead of changes, whether it’s adapting to new interoperability rules or strengthening current defenses.
For IT Directors: A Tactical Advantage - Our Healthcare GRC experts not only audit our partners but also collaborate with your IT department to work together effectively to:
- Conduct penetration testing and vulnerability scans
- Validate system (cloud, on-prem, media, medical device) configurations and electronic health records (EHR) security
- Prepare for CMS, OCR, and other regulatory audits
Final Word for Healthcare Leaders
CMS audits are no longer episodic; they are part of the new normal. By partnering with Healthcare GRC, healthcare executives and IT directors gain a strategic ally in navigating compliance, fortifying cybersecurity, and preserving patient trust.
CMS ARC-AMPE DEE (Direct Enrollment Entities) Advisory Services
- If you are new to CMS Compliance or are working on an Authority to Connect (ATC), our experts can also help you:
- Conduct a Gap Analysis of your System Security and Privacy Plan (SSPP), and governance policies
- Support remediating identified gaps
- Ongoing advisory on CMS ARC-AMPE DEE security and privacy requirements.
CMS ARC-AMPE DEE Third-Party Audit Services
- Cyclic CMS attestation services that provide:
- Security Assessment Plan (SAP)
- Security Assessment Workbook (SAW)
- Security Assessment Report (SAR)
- Plan of Actions and Milestones (POA&M) as required by CMS.