Transcript of "OIG’s Review of CMS HIPAA Security Rule Oversight – What a Scathing Report Means For You"
OIG’s Review of CMS HIPAA Security RuleOversight – What a Scathing Report MeansFor YouThe OIG (the Office of Inspector General – the audit arm of the Department of Health& Human Services)recently released their report on the CMS’s (Centers for Medicare & Medicaid Services) oversight andenforcement regarding hospitals’ HIPAA Security Rule implementation. In the scathing report* the OIG clearlycharacterizes the current regulatory compliance efforts by the CMS as lax. While the report is full of interestingstatistics about the extent that the hospitals it audited as part of the analysis were lacking in security, Ithought, it made sense to discuss the inevitable outcome for hospitals and frankly any organization covered bythe HIPAA Security Rule.What the Report Says About the Future1. Expect post-breach due-diligenceIn rock climbing, we had a saying: it’s not the fall that kills you, its the landing. Well that certainly rings truewith a data breach. If you’ve read the news lately, you’re likely aware of the scrutiny into organizations thathave experienced a breach. Not only does the true financial cost and liability impact become clear in the weeksand months following a breach, but the entire risk management strategy of the organization comes under amicroscope. And for those organizations that fall within HIPAA Security Rule compliance requirements, that isechoed loud and clear in this report, in which it is stated that the CMS:“performs compliance reviews of covered entities in response to breaches of unsecured protectedhealth information affecting 500 or more individuals”.So, while many healthcare CIOs have never been through a compliance audit but may expect one in the eventof an ePHI data breach – they can be assured of an audit after this report. And when the microscope comesout, here are the kinds of questions the CMS will be asking: Sure you have security controls, but are they actually working? Does executive management have a clear understanding of their risk profile? Does your healthcare organization have a structured and systematic approach to risk management? Are you aware of, and do you follow-up on, deficiencies in your security program?So if your security is lax, the effectiveness of your program will become clear in the post breach analysis. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
2. Expect Pro-Active AuditsWhile it may not be surprising to CIOs to expect some regulatory due-diligence into their information securityprograms after a breach, it may be more of a surprise that periodic or even annual regulatory security auditsby the CMS are inevitable. Not only are state Attorneys General getting trained by the federal government onHIPAA enforcement, but the OIG is clearly indicating that pro-active CMS auditing is what it would like to see.Healthcare is unique in that, while it has clear regulatory guidance on security (the HIPAA Security Rule), ithas not been the subject to consistent oversight in the form of audits. In other industries (financial services forexample) CIOs have for years come to expect annual onsite visits from the regulators in which their securityprograms and controls are reviewed. Here are some of the OIG statements showing the current state of affairs(lax auditing and minimal oversight) is not appropriate moving forward:INSUFFICIENT OVERSIGHT AND ENFORCEMENT ACTIONSCMS’s oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals,effectively implemented the Security Rule.Here is another telling indicator from the report:Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absenceof complaints, it provided no evidence that it had actually done so. The only reviews OCR mentioned wererelated to our hospital audits. In the absence of evidence of a more expansive review process, we encourageOCR to continue the compliance review process begun by CMS in 2009.So while it’s clear that not only should healthcare organizations expect pro-active audits from the StateAttorneys General, but at the federal level as well, from the CMS.3. Expect the CMS to take a broad view of securityAt Redspin, we’ve always been a fan of taking a practical view of security and compliance. It looks like theregulatory environment is poised to take a similar view.RECOMMENDATIONSWe recommend that OCR continue the compliance review process that CMS began in 2009 and implementprocedures for conducting compliance reviews to ensure that Security Rule controls are in place and operatingas intended to protect ePHI at covered entities.From a practicality standpoint this is a good thing. However, for those entities that are deploying controls justbecause they have to, rather than really putting thought into the deployment to ensure the controls areworking as intended will find that the existence of the control itself does not free them from regulatory liability. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
Redspin Recommendations: Don’t just treat a HIPAA Security Risk Analysis like a compliance check-the-box item on your agenda. Consider the fact that a meaningful HIPAA Security Risk Analysis is the foundation for effective risk management and leverage the effort to build a robust and systematic information security program that will maximize HIPAA Security Rule compliance while minimizing risk of ePHI data breach. Understand that by focusing on the intent of the HIPAA Security Rule you can achieve both security and compliance. However, the inverse is not true : focusing on compliance does not necessarily buy you security in the risk management sense of the word – in fact in the OIG’s opinion, it won’t even buy you compliance. Always remember it’s not the existence of a control that matters, rather it’s the effectiveness.ConclusionWhile additional oversight may seem daunting, the good news is that hospitals and other healthcareorganizations can get lasting practical and compliance value from doing an annual HIPAA Security RiskAnalysis. It can be used to meet the meaningful use core objective of safeguarding ePHI. it’s the foundation of a robust information security program. It can be used to provide executive management visibility into their risk profile and overall IT environment. It can lower your overall risk profile, by identifying and prioritizing critical risk. In the event of a CMS audit – it will provide evidence that your organization has a robust security foundation and systematic information security program.* Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability andAccountability Act of 1996 Oversight (A-04-08-05069) WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM