Official HIPAA Compliance Audit Protocol Published


Published on

Official HIPAA Compliance Audit Protocol Published - Of particular interest to Redspin is the section dedicated to IT security.

Published in: Health & Medicine
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Official HIPAA Compliance Audit Protocol Published

  1. 1. Official HIPAA Compliance Audit ProtocolPublishedJuly 2, 2012The Department of Health and Human Services’ Offices for Civil Rights (OCR) have finally published the official protocoland detailed procedures guiding their HIPAA Audit program. The protocol, developed by subcontractor KMPG togetherwith OCR, includes 77 evaluation areas for security and another 88 areas for privacy/breach notification. Here’s a link tothe publication which is conveniently keyword searchable. particular interest to Redspin is the section dedicated to IT security. As former White House Cybersecurity CzarHoward Schmidt said recently, “Without security, there can be no privacy.” We were pleased, but not surprised, to see thatthe audit protocol maps directly to the HIPAA Security Rule sections§164.308, §164.310 and §164.312.For the past several years, we’ve advised our clients that any official HIPAA security audit program would necessarilyrevert back to existing HIPAA Security Rule provisions “on the books” since 2005. It’s how Redspin designed its ownmethodology for our HIPAA Security Risk Assessments (click here to download our crosswalk map) and we were 100%confident that our approach would pass muster with any subsequent interpretations.Further, at the June 7th HIPAA Security Rule conference, Linda Sanchez, Senior Advisor and Health Information PrivacyLead at OCR, reported that the results of the first 20 OCR/KPMG pilot audits showed that security compliance was a farmore troublesome area than privacy compliance. More specifically, 74% of the findings were security gaps or breach issuescompared to 26% policy violations. Against the backdrop of the transition of the healthcare industry from a paper-basedsystem to electronic health records, Redspin continually stresses that IT security is job one.OCR concurs. Ms. Sanchez went on to recommend “next steps” that all covered entities should implement not simply aspreparation for a potential audit but as best practices. Her first suggestion? Conduct a robust review and assessment.Next? Determine stakeholders – all lines of business that are impacted by HIPAA regulations. Then identify all of theprotected health information (PHI) within the organization and map its flow within the organization and to/from businesspartners.In conclusion, the audit protocol itself is informative at least in the sense that there are no surprises, but neither does itoffer any more explicit guidance than what is in the HIPAA Security Rule. Redspin continues to advise our clients thatsafeguarding PHI is the primary objective. By conducting a comprehensive security risk analysis and implementing aremediation plan that address the findings in a diligent and timely manner, a covered entity will not only improve itssecurity posture and reduce risk, but will also have nothing to fear from an OCR/KPMG audit. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM