Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Why Preparing for an OCR HIPAA Audit May Lead to a False Sense of Security

185
views

Published on

Many healthcare organizations breathed a collective sigh of relief when the Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) finally made their HIPAA audit protocol …

Many healthcare organizations breathed a collective sigh of relief when the Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) finally made their HIPAA audit protocol publicly available this past June. Many of Redspin’s clients and prospective clients asked us for guidance during the 7 or 8 months prior to the protocol publication. We advised all who asked....

Published in: Health & Medicine

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
185
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Why Preparing for an OCR HIPAA Audit MayLead to a False Sense of SecurityMany healthcare organizations breathed a collective sigh of relief when the Office of Civil Rights (OCR) under theDepartment of Health and Human Services (HHS) finally made their HIPAA audit protocol publicly available this pastJune. It can be accessed here. As a refresher, Section 13411 of the 2009 HITECH Act required that HHS “provide forperiodic audits to ensure that covered entities and business associates that are subject to the requirements of (HITECHand HIPAA), comply with such requirements.” The protocol was developed under OCR collaboration with “Big 4”consulting firm KPMG.Uncertainty persisted since late last year when it was announced that OCR/KPMG had completed work on the auditprotocols. Indeed, even the first 20 audits were conducted before the protocol was made public. Not knowing what theymight be audited for had raised anxiety levels among some covered entities. Many of Redspin’s clients and prospectiveclients asked us for guidance during the 7 or 8 months prior to the protocol publication. We advised all who asked that ifthey wanted an early look at the HIPAA security audit protocol, they need only refer back to the HIPAA Security Ruleitself. We posted that the federal government, even with KPMG’s potential bias (since they are also conducting the first 115audits), could not stray very far from a law that had been on the books since 2005.We were right. Each of the 77 audit areas of performance evaluation that relate to IT security cite Security Rule sectionnumbers and use the exact Security Rule language to describe “Established Performance Criteria.” Years ago, Redspinmapped our own HIPAA Risk Analysis and Security Assessment to the Security Rule so we had a good idea of what to lookfor in the OCR/KPMG document. (A copy of our crosswalk map is freely downloadable click here to download).However, there is one very important difference between Redspin’s scope of work and any audit protocol. We’ve alwaysmaintained that the HIPAA Security Rule informs our work but we also consider the Rule and any protocols derivedthereunder a subset of the work we do. What the HIPAA Security Rule and the OCR audit protocols fail to dictate is thecomprehensive security testing that is also required to truly be in compliance.Redspin’s approach has been instrumental in our success in helping nearly 100 hospitals meet their security requirementsunder the Stage 1 EHR “Meaningful Use” Incentive Program. Core Measure 14 of Meaningful Use mandates thathospitals conduct a security Risk Analysis in accordance with the requirements under 45 CFR 164.308(a)(1), implementsecurity updates as necessary, and correct security deficiencies identified as part of its risk management process.Thus, while most people generally associate HIPAA with privacy, the migration to electronic health records has placed theemphasis squarely on security. As Howard Schultz, former White House Cybersecurity Czar has said, “Without security,there is no privacy.”This shift is vitally important to understand. Most hospitals’ IT staff members do not have the expertise or tools needed toaccurately perform a Core Measure 14 Risk Analysis. HIPAA consultants, particularly those who have been in the industryfor many years, invariably understand the privacy regulations far better than IT security. Even the auditors empowered byOCR are likely to emphasize privacy and notification policy and procedures while missing the larger threat to safeguardingprotected health information (PHI) that may manifest as an erroneous firewall configuration, open port, or defaultpassword on a critical system.
  • 2. Our point is that comprehensive security testing in healthcare organizations is an absolute must. Today’s hospital ITinfrastructures are an order of magnitude more complex than they were just two years ago. Electronic health records haveraised the stakes for data breach; a simple oversight, an insecure password, a theft of a single portable electronic device –can now impact thousands if not millions of patients and result in a major financial and reputational hit to a healthcareprovider.The HIPAA Security Rule and the OCR/KPMG HIPAA audit protocol provide compliance guidance but ultimately they arejust words on paper. Truly safeguarding protected health information means digging in technically with security experts(internally or with outside consultants such as Redspin). IT security itself is a process, not an audit. It involves testing yourinfrastructure, your systems, your applications, your employees, and your business associates. It is about findingvulnerabilities, implementing remediation plans, validating that the appropriate fixes have been made, and buildingperiodic, repeat IT security testing into your overall risk management program. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM