HIPAA Security Audits in 2012-What to Expect. Are You Ready?


Published on

Within the 2009 American Recovery and Reinvestment Act (ARRA) was a legislative gem, the HITECH Act. HITECH provided a much needed “shot in the arm” (no pun intended) for the vanguard of healthcare technology advocates (including industry leaders, academics, economists, politicians, and concerned citizens), who had been promoting the necessity of modernizing the U.S. healthcare system for years.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

HIPAA Security Audits in 2012-What to Expect. Are You Ready?

  1. 1. What to Expect from a HIPAA Security AuditWithin the 2009 American Recovery and Reinvestment Act (ARRA) was a legislative gem, the HITECH Act.HITECH provided a much needed “shot in the arm” (no pun intended) for the vanguard of healthcare technologyadvocates (including industry leaders, academics, economists, politicians, and concerned citizens), who had beenpromoting the necessity of modernizing the U.S. healthcare system for years.Under HITECH, the Center for Medicare Services (CMS) launched its “meaningful use” program, a 4-stage plan totransition from paper-based to electronic medical records (EMR). Stage 1 “meaningful use” specifically calls out corerequirements for covered entities and eligible providers. Benchmarks, goals, and deadlines have been established tomeasure the adoption, implementation, and utilization of EMR. Stage 2 requirements will be published in the summerof 2012. Although early in its lifecycle, the ultimate success of the “meaningful use” program is already widelyconsidered the cornerstone of IT health transformation.Although “meaningful use” is not mandated by law, it might as well be. By attesting that they have met Stage 1requirements, hospitals are eligible for up to a $4 million base payment plus a multiplier for 6 years on Medicarereimbursements. The program is a combination of financial incentives (the “carrot”) and disincentives, furthersupported by existing laws enacted under HIPAA years ago. For example, the HIPAA Security Rule has been aroundsince 2005. At that time, IT usage in healthcare was limited, and the regulations governing it, relatively toothless.But “meaningful use,” with its incentives for the adoption of electronic health records (EHR), and HITECH withincreased monetary penalties for the breach of protected health information (PHI) both breathed new life into theHIPAA Security Rule.In 2011, the impetus for covered entities to improve their privacy policies and IT security infrastructure has also beendriven by the Stage 1 EHR meaningful use incentive plan. Part of the requirements for attestation is to have conducteda HIPAA Security Risk Analysis. To fulfill this mandatory requirement, most hospitals hire a 3rd party securityassessment firm such as Redspin, who are experts in IT security and compliance, and can deliver an objective,unbiased report.While the “carrot” has been very motivational (over 85% of hospitals say they will attest to Stage 1 by the end of2012), the “sticks” of increased breach penalties and government-ordered HIPAA security audits have not yet had animpact in any significant way. That will change in 2012.Last June, the Department of Health and Human Services (HHS)‟ Office of Civil Rights (OCR) awarded $9.2 millionto KPMG, under Contract No. GS23F8127H, to support OCR in creating a documented HIPAA audit protocol andconduct such audits on 150 entities by the end of 2012. The 150 organizations selected will include both coveredentities (hospitals) and their business associates (BAs).As we move toward 2012, the reality of increased breach penalties and government-sponsored audits should be “topof mind” for the executive leadership at hospitals and hospital systems. Prudent healthcare CIO‟s will naturally wantto first conduct their own security risk analysis before any government auditors show up at their door. Indeed,Redspin has worked with dozens of “early adopters” in 2011 who hired us to conduct a HIPAA risk assessment tomeet Stage 1 meaningful use deadlines. These admirable entities are well ahead of the game now should they beselected for an OCR/HIPAA audit as devised by KPMG later this year.www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177
  2. 2. MOVING TARGETIn 2011, The majority of hospitals were not ready to meet the full set of meaningful use requirements and others werehoping for more guidance from CMS/OCR in regard to specific risk analysis or HIPAA audit scope. Last May, theagencies were vague at best when the question of what the HIPAA audit protocol would look like was raised at theAnnual HIPAA Security Rule Conference in Washington, D.C. They deferred on the question initially then went onto stress how seriously they planned to take their enforcement responsibility, even presenting dates/cities for anupcoming HIPAA Audit Policy and Procedures training program for State Attorneys‟ General.Most attendees felt that this was putting the cart before the horse. OCR had yet to even award the contract for thedevelopment of the HIPAA Audit Policy and Procedures (which went to KMPG a month later). Adding fuel to thefire, OCR suggested that the AG training material would unlikely ever be publicly- released. When pressed by anattendee, the OCR representative deferred to the HIPAA Security Rule “which has been around forever” andsuggested that a good starting point for all would be to read or reread that legislation.We agreed. For Redspin‟s scope of work, we see no possibility for ambiguity. First, our HIPAA Security Risk Audits/Assessments are conducted in strict accordance with the HIPAA Privacy and Security Rules (45 CFR 160 and 164Sub-parts C and E) Second, we consider IT security as a process rather than a project. We test, report findings,suggest solutions, validate remediation, and test again at a later date. There are ample opportunities to adjust ourscope of work along the way so that we meet compliance objectives. This has always been the way to work withgovernment-backed industry audits. Times change. Technologies advance. With our flexible assessment approach,we‟re able to stay in lock-step with the auditors and are thus able to deliver the highest value to our clients.A good example is likely already at hand. Redspin believes that a large concern at hospitals should be the oversightof their business associates, a complex and cumbersome, thus oft-neglected responsibility. Particularly when oneconsiders the sobering statistic that since September 2009, 55% of all major breach incidents (those involving 500 ormore individual‟s records) occurred at BAs and that less than ½ of healthcare organizations conduct any kind ofpre- or post- contract compliance assessments of their BAs. Thus, Redspin has recently added a business associateportfolio risk assessment service to its offerings.For business associates themselves, protecting the security and privacy of ePHI/PHI will suddenly become both afiduciary responsibility and potentially a competitive issue. The OCR has already confirmed that direct liability for abreach will extend to BAs at the end of 2012 raising the specter of civil penalties. As hospitals begin to feel increasedaudit pressure, they may insist that BAs provide them with documented policies, procedures, and third-party networksecurity assessments prior to signing or renewing business contracts. Publicly- disclosed violations or civil penaltiesassessed to BAs could be brand-damaging at the least and a company killer at their most severe.A NEW SHERIFF IN TOWNOn their part, OCR is going full steam ahead, at least in terms of continuing to stress enforcement. The KPMGcontract itself requires their auditors to inform organizations in advance that “OCR may initiate further complianceenforcement action based on the content and findings of the audit.”In early September, OCR hired Leon Rodriguez as its new director. He had little more to add on the specifics of theupcoming audit program other than confirming that a KPMG “pilot program” is imminent during which OCR willconduct a handful of audits to assess and refine the methodology itself.But as former prosecutor and defense attorney, Mr. Rodriguez‟ bias towards enforcement is becoming clear. Duringa recent interview with HealthcareInfoSecurity, he was quoted as saying “enforcement promotes compliance. The factthat covered entities out there know that they are at risk for penalties is something that, in fact, in many cases willpromote compliance."www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177
  3. 3. He went on to say that he plans to ramp up enforcement of HIPAA with resolution agreements, civil monetarypenalties, and other enforcement actions. "Its always going to be a high priority to focus on those cases that involvethe most egregious conduct - the most serious violations - and also the cases that have the most deterrent value," hestressed.In another paragraph, he mentions the word “enforcement” three times in three sentences. In another, he describeslarger “enforcement opportunities” and describes focused efforts to help his people learn to put “a case together.”HOW WE CAN HELPIf stricter enforcement is indeed coming soon, how should top executives of healthcare organizations (covered entitiesand business associates) best prepare for the inevitable day when the government‟s HIPAA Audit team knocks on thedoor? Unlike some Beltway pundits, we believe that OCR will see these audits as enforcement opportunities ratherthan educational sessions. And unlike other IT security consulting firms, we urge you not to rely solely on the factthat you‟ve made “good faith” efforts to comply.Redspin„s mission is to help healthcare organizations safeguard and protect private and confidential healthinformation. We also have the domain knowledge, business experience and professional savvy to prepare you for aHIPAA Security Audit. Here are the ten steps we suggest that will protect your organization and keep the auditorssatisfied. 1. Conduct a comprehensive, HIPAA security risk analysis and IT security assessment as soon as possible. Many organizations make the mistake of deferring this work until some other project is completed, waiting for a different budget cycle, waiting for a new hire to start, or for some other organizational change to take place. Don‟t wait! 2. Ensure that your 3rd party IT security assessment provider follows the administrative, physical, and technical safeguards of the HIPAA Security Rule chapter and verse. 3. Use the Security Risk Analysis Process to organize all relevant documentation. HIPAA Auditors will want copies of everything. So, not only do you want these policies and procedures to be up-to-date and updated regularly but make them easy to locate. Nothing is more unnerving than scrambling through file cabinets under a watchful eye. 4. Plan Your Work. Immediately upon completion of the risk analysis, put an action plan together to address all findings. You don‟t need to have everything fixed by the time the government audit takes place but you need a plan in place with assigned tasks and due dates to demonstrate that you‟re aware of the findings and that all meaningful vulnerabilities are being addressed. 5. Get to Work. The more findings and vulnerabilities you‟ve corrected from the original report, the more diligent and competent your organization will look to the auditors. 6. Minute the meetings in which the results are discussed and action items assigned. 7. Insist that your 3rd party assessment firm provide you with a hard copy of your assessment report and secure, online interactive access to the findings. An interactive version of your risk analysis provides you with the ability to show the auditors up-to-the minute process on your remediation plan. Remember: Security is not a project; it is a process.www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177
  4. 4. 8. Involve senior management early and often. Form a governance, privacy, and IT security steering committee if possible. You‟ll need executive support to resolve competing interests among different functional groups. In addition, the auditors will conduct interviews during site visits with your leadership including the CIO, Chief Counsel, and medical records director. You don‟t want this to be the first they‟ve heard of the undertaking. 9. Demonstrate that you understand the breach notification procedure and explain how it works in your organizational context. 10. Demonstrate a formal internal sanction policy for internal privacy violations and non-adherence to policy. Show examples of past instances where such sanctions have been issued in accordance with policy.At the end of this process, there will be more benefit to your organization than just a happy HIPAA auditor."Across the board, regardless of industry or standard, companies that consistently comply with security requirementsand standards save three times more in security-related expenses annually than companies that are categorized as non-compliant." (Tripwire/Ponemon, Jan 2011)www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177