HIPAA Security Rule


Published on

Reviews requirements of the HIPAA Security Rule, including the new audit mandate from the OCR

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

HIPAA Security Rule

  1. 1. HIPAA Security – Prepare Now or ‘Wait and See’?Background“An ounce of prevention is worth a pound of cure,” a saying often used in a healthcare context,was first coined by Benjamin Franklin more than two centuries ago as firefighting advice. 1 In thiswhite paper, we share our view of how Franklin’s wisdom can be applied by every administratorof a health plan or healthcare clearinghouse, as well as by any healthcare provider thattransmits health information in electronic form, that must comply with the Health InsurancePortability and Accountability Act (HIPAA) Security Rule.Considering Ben Franklin’s guidance when confronted with challenges, it clearly makes senseto apply an “ounce of prevention.” However, when it comes to HIPAA security and theincreasingly complex problem of securing patients’ vital information, how prepared are today’shealthcare organizations? For example:• Have you performed a compliance evaluation within the past year?• Do you have a robust risk analysis process in place to monitor and address threats and vulnerabilities to your organization continuously?• Are you leveraging your Meaningful Use efforts to bring attention to the importance of health information technology (HIT)?• Have you implemented a sustainable program to manage risk proactively versus reactively putting out fires?If your response to any of these questions is “no,” read on.What’s the Issue?HIPAA security is not a new concept – the final rule was issued on February 20, 2003, withcompliance dates in the 2005-2006 time frame, depending on the type of entity. However, whenthe Health Information Technology for Economic and Clinical Health (HITECH) Act was signedinto law on February 17, 2009, bringing with it tiered penalties that significantly increase the1 The following information is copyrighted by, and used with permission of, the Independence Hall Association, on theWeb at http://www.ushistory.org/franklin/info/index.htm: “[In the 1700s] fires were a very dangerous threat toPhiladelphians, so [Benjamin] Franklin set about trying to remedy the situation. In 1736, he organized Philadelphia’sUnion Fire Company, the first in the city. His famous saying, ‘An ounce of prevention is worth a pound of cure,’ wasactually fire-fighting advice. … Those who suffered fire damage to their homes often suffered irreversible economicloss. So, in 1752, Franklin [also] helped to found the Philadelphia Contributionship for Insurance Against Loss by Fire.Those with insurance policies were not wiped out financially.”
  2. 2. minimum amount for each violation, it strengthened HIPAA enforcement requirements whilealso providing more authority to federal, state and local enforcement bodies. In adding teeth toHIPAA, HITECH empowers the U.S. Department of Health and Human Services’ Office of CivilRights (OCR) and the Federal Trade Commission (FTC) to conduct periodic audits to assesscompliance and impose higher penalties for noncompliance. 2The added pressure on the healthcare industry to meet regulatory requirements is real. In 2011,fines and penalties of as much as US$4.3 million were levied for violations, demonstrating thatHITECH has provided HHS with increased leverage when negotiating resolution of allegedHIPAA violations. Reputational damage is also a consideration. Clearly, affected organizationsneed a proactive approach, making the “ounce of prevention” metaphor very relevant. While thewriting on HIPAA has always been on the wall, HITECH empowerment and OCR and FTCenforcement increase accountability of entities subject to HIPAA.Another consideration is that the “Interim Final Rule for Breach Notification for UnsecuredProtected Health Information,” issued pursuant to HITECH, remains in effect. It requires that“following a breach of unsecured protected health information (PHI) covered entities mustprovide notification of the breach to affected individuals, the Secretary [of HHS], and, in certaincircumstances, to the media. In addition, business associates must notify covered entities that abreach has occurred.” 3 If the breach affects more than 500 records, the violating entity has 60days to notify the HHS secretary. Following notification, the organization’s name and anoverview of the breach is posted on the HHS website – a listing commonly referred to as “TheWall of Shame” and not an accolade to be embraced.Furthermore, under the American Recovery and Reinvestment Act of 2009, the Medicare andMedicaid EHR Incentive Programs provide a financial incentive for the Meaningful Use ofcertified electronic health record (EHR) technology. The “Protect Electronic Health Information”core measure for both eligible professionals and eligible hospitals under Meaningful Userequires a risk analysis to be completed pursuant to the provisions of HIPAA. 4 The Centers forMedicare and Medicaid Services (CMS), the U.S. federal agency that administers Medicare,Medicaid and the Children’s Health Insurance Program, has stated that these securityrequirements are not new. They simply require compliance with applicable provisions of thepreviously established HIPAA Security rules. If the OCR finds an organization to benoncompliant through its own audits, then Meaningful Use payments can be recouped inaddition to the levy of any applicable fines.There is one more point to consider from a regulatory view. The OCR announced in June 2011that KPMG was selected to administer HIPAA privacy and security audits targeting 150 coveredentities. These audits are to be completed by the end of calendar year 2012. The 150 coveredentities will be selected systematically by the OCR. According to HHS, “OCR will audit as wide arange of types and sizes of covered entities as possible; covered individual and organizationalproviders of health services, health plans of all sizes and functions, and health careclearinghouses may all be considered for an audit.” 5 It is important to note that the selectionprocess will not necessarily be complaint or breach driven. While that does not mean coveredentities previously affected by a breach are excluded, the OCR appears to have committed toeventually audit all organizations that experience a breach of more than 500 records.2 HITECH Act Enforcement Interim Final Rule: Subtitle D of HITECH “addresses the privacy and security concernsassociated with the electronic transmission of health information, in part, through several provisions that strengthenthe civil and criminal enforcement of the HIPAA rules.” For more information, go to www.hhs.gov.3 For more information on the Breach Notification Rule, go to www.hhs.gov.4 See HIPAA 45 CFR 164.308(a)(1).5 For more information on the HIPAA Privacy and Security Audit Program, go to www.hhs.gov. Protiviti | 2
  3. 3. With the deadline for completing the audits rapidly approaching, one key initiative the OCR andKPMG are aggressively pursuing is finalizing the associated audit plan. While the OCR hasstated they will “broadly share best practices gleaned through the audit process and guidancetargeted to observed compliance challenges,” all signs seem to indicate they will not beproviding a “cheat sheet” to facilitate compliance. Therefore, do not expect a checklist coveringwhat to do to pass an audit. This process will put the selected entities under the microscope. Itis in the best interests of covered entities to have the appropriate practices in place. 6The issues detailed above focus primarily on what the “good guys” are trying to accomplish.However, it is important to remember that technology continues to evolve rapidly, and with thisevolution, new security threats continue to emerge. The reality is that a myriad of hackers,criminals and other unscrupulous parties are maintaining their incessant efforts to gain accessto confidential and private information across virtually all industries, including healthcare.According to some studies, nearly two-thirds of breaches are the result of malicious intent,meaning they are not accidents. With the increased reliance by most organizations ontechnology and the world literally at our fingertips, criminals are running rampant while droolingover a smorgasbord of information that they are not finding difficult to obtain – hence the needfor a proactive approach to HIPAA security compliance.The bottom line is that enforcement of the HIPAA Security Rule is here. Organizations did nottake sufficient action, so the federal government did, and it would be wise to avoid testing thepatience of the OCR. Without question, the OCR is monitoring affected organizationsaggressively, and likely will take significant action against organizations that are noncompliant.The OCR/KPMG audit process will provide further opportunity for the OCR to identify entitiesthat are out of compliance, as will notifications of significant breaches. When the time comes toreflect back on 2012, it is not unreasonable to surmise that we will have observed manyorganizations rushing to improve their security practices and establish standards that shouldhave been in place years ago.What is Your Ounce of Prevention?Going back to Benjamin Franklin’s words of wisdom, covered entities have two options. Theycan sit back and wait until the OCR begins levying penalties and hope they stay under theradar, meaning criminals pass them by, “accidents” don’t happen and they are not selected foraudit. The cure will come when it is forced upon them. Alternatively, they can take action nowtoward prevention while, at minimum, ensuring they have a defensible position thatdemonstrates they are focusing on securing patient information. Most importantly, regardless ofwhether or not auditors come knocking, they can make protecting their patients a point ofemphasis.So where to begin? First and foremost, recognize that there is no prescriptive method or bestpractice to guarantee compliance with the HIPAA Security Rule. The federal governmentrecognizes this and frequently makes similar disclaiming statements. The final rule itself isheavily laden with words like “reasonable,” which provides insight on best practice, butorganizations should avoid gimmicky tricks or promises of worry-free compliance. Unfortunately,the lack of a solid road map to success has opened the door for much debate in the industry.Many organizations are choosing to take the easy path of “wait and see” until proven wrong.The best pathway through the maze is to take a step back to identify areas where an auditorwould likely question the reasonableness of efforts taken. For example, if the last complianceevaluation was performed three years ago, will that satisfy the auditor’s expectations? Is it6 While the OCR may have KPMG pilot a few audits to refine the audit methodology, there is no commitment toprovide the marketplace any information regarding the refined audit methodology. Protiviti | 3
  4. 4. reasonable to present an entire risk analysis program and summary of results in a two-pagememorandum? Is it reasonable to report that the entity’s last refresh training was performed in2008 or its policies were last revised in 2007? Is it reasonable to assert that your network issecure when management hasn’t authorized any penetration or vulnerability testing? What if theentity has countless users with administrative access but can’t pinpoint who really needs access– will that work?The point is clear: Audit yourself or suffer the consequences. Here are 10 key actions yourorganization should take, beginning today:(1) With respect to your last compliance evaluation (often referred to as a gap assessment, safeguard analysis, etc.), determine: • The date of the evaluation • If the evaluation addressed changes stemming from HITECH • The extent to which it evaluated compliance against each individual safeguard • The extent to which results were documented and remediation activities were completed or are still being monitored • If it was performed within a reasonable amount of time (e.g., within the past one to two years at most)(2) Evaluate the sufficiency of your risk analysis and risk management programs. Compare your programs against existing guidance from the OCR and leverage other resources identified in that documentation. 7 At minimum, position the entity to assert it has addressed and documented each of the key elements of these programs outlined in the high-level guidance, as issued.(3) Assess the impact of your risk analysis program on Meaningful Use attestation processes planned or under way, keeping in mind that the risk analysis required for Meaningful Use ties directly to the requirements under the HIPAA Security Rule.(4) Maintain sufficient documentation of your efforts. Consider it your evidence. It should tell management’s story to an independent auditor with little or no additional explanation required.(5) Ensure the entity has implemented a sustainable program that adapts to the changing environment and is proactive versus reactive.(6) Monitor industry developments on a continuous basis and leverage existing guidance to the greatest extent practical in a timely manner.(7) Collaborate with the internal audit and compliance functions and other applicable resources. Security and privacy should be front of mind and an integral part of audit plans in some capacity each year.(8) Move beyond evaluating simply the design of security and privacy processes and test their operating effectiveness.(9) Perform penetration and vulnerability testing on a regular basis. Make sure weaknesses are addressed in a timely manner.7 Examples include “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” and “Basics ofSecurity Risk Analysis and Risk Management.” For more information, go to www.hhs.gov. Protiviti | 4
  5. 5. (10) Talk to peers. Knowledge share and brainstorm with peers – you’ll take comfort and find it therapeutic once you realize you are not alone in this process.While the above list is not intended to be all-inclusive (and there isn’t sufficient certainty foranyone to draw up such a list that fits all circumstances), it goes a long way toward providing ahigh-level road map for demonstrating the entity has taken reasonable steps to comply, where“reasonable” does not convey a guarantee for success and is, of course, subject to varyinginterpretations. The question is how each action item on the list should be addressed toimplement a sufficiently proactive approach to compliance. Entities looking for a road map thatis relevant to them should consult their legal and other advisors.Getting Ready for Prime TimeMake sure the organization documents its approach for complying with the HIPAA SecurityRule, maintains that documentation to keep it current, and ensures evidence exists to supportits process. Simply stated, when it comes time for an audit, it is best practice for an organizationto have documented evidence available to support what it is doing to comply with theregulations and what is being done to remediate any areas that are not in compliance. To thatend, following are key areas for which we believe documentation should be maintained that canbe provided to auditors upon request, and that will provide sufficient detail for them tounderstand the organization’s current environment:• HIPAA Security Evaluation – As there still appears to be much confusion in the industry over the difference between an “evaluation” and a “risk analysis,” further clarification is warranted. While commonly used interchangeably, these efforts are unique and distinct from one another as outlined in different safeguards. With regard to the evaluation process, according to the evaluation safeguard, management must, “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule [HIPAA Security Rule] and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.” 8 An evaluation of the organization’s position against the HIPAA Security regulations should be conducted periodically (e.g., annually) and when significant organizational changes occur (e.g., implementation of a new patient accounting system, changes in infrastructure, turnover at key positions, EHR implementation, etc.). The results should be documented and include defining the security measures in place to address each individual safeguard including applicable policies and/or procedures. This should be the organization’s road map for an auditor; it should be able to direct the auditor to the specific policies, processes and procedures that the organization has implemented to comply with the regulations. Go through the regulations, safeguard by safeguard, and tell the entity’s story of how it is complying. It is critical to remember that “addressable” safeguards are not optional. If the entity has chosen not to implement an addressable safeguard, then management must clearly document the reasoning behind that decision, why it is not applicable and, when appropriate, describe the mitigating controls in place to address the associated risks.• Risk Analysis and Risk Management – One of the first safeguards found in the HIPAA Security Rule requires organizations to, “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of8 HIPAA Security Regulation 45 CFR §164.308(a)(8) Evaluation (Required). Protiviti | 5
  6. 6. electronic protected health information held by the covered entity.” 9 It is important to note that the focus of this Risk Analysis must be on safeguarding electronic protected health information (ePHI). There should be a routine process implemented for refreshing this analysis. This process should occur periodically (e.g., annually) and if the organization undergoes significant changes that affect ePHI. Based upon the results of the risk analysis, the entity must perform risk management activities in order to, “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” 10 That is, management must take action in order to ensure that risks are being managed and action is being taken to resolve any deficiencies in a timely manner. CMS performed limited HIPAA audits in 2008 and 2009 to gauge compliance with HIPAA regulations. During both years, the primary concern identified was a lack of an effective and thorough assessment of the threats and risks to ePHI (i.e., deficient risk analysis). In conjunction with guidance 11 issued during the July 2010 time frame, the OCR now points to the National Institute for Standards and Technology (NIST) Special Publication (SP) #800- 30 as guidance on how to perform an effective risk analysis and risk management process. In our opinion, many organizations are taking a very high-level approach to this process, and we anticipate this will be an area of significant concern pointed out during the KPMG audits. It is not uncommon to find little to no documentation supporting these efforts. Likewise, it is not uncommon for organizations to assert they are relying on “risk assessments” performed by internal or external auditors that cover a wide range of areas. However, we believe management should determine if the following exist, at minimum, when evaluating the organization’s processes: Risk Analysis ‒ Complete Inventory of Assets Containing ePHI – This inventory would include any asset (laptop, server, EHR system, etc.) that stores, processes or transmits ePHI, and should be documented and used as part of the risk analysis. ‒ Relevant Threats and Vulnerabilities to the Asset – NIST defines threats as “the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability” and vulnerability as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” 12 Each threat should have associated vulnerability(ies) and these should be documented for each asset. ‒ Security Measures – Document for each asset the current security measures that are implemented in order to help mitigate vulnerabilities that the threats could exploit. ‒ Calculated Residual Risk – Taking into account the security measures that are captured, determine the residual risk that the threat and vulnerability combination poses to the asset. Calculate the likelihood of the asset being exploited with the9 HIPAA Security Regulation 45 CFR §164.306(a)(1)(ii)(A) Risk Analysis (Required).10 HIPAA Security Regulation §164.308(a)(1)(ii)(B) Risk Management (Required).11 “Guidance on Risk Analysis Requirements under the HIPAA Security Rule,” available at www.hhs.gov.12 NIST Special Publication 800-30, “Risk Management Guide for Information Technology Systems,” by GaryStoneburner, Alice Goguen and Alexis Feringa, July 2002, available for download at:http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf. Protiviti | 6
  7. 7. current security measures in place, and the impact to the covered entity if that asset were to be exploited. 13 Risk Management ‒ Residual Risk Mitigation Plans – Document what the organization’s plans are to mitigate any residual risk, or document why it is not feasible/reasonable for the risk to be further mitigated from its current status. ‒ Target Completion Date – Document the date that the organization is targeting to complete the residual risk mitigation plan. ‒ Completion Date – Document the date the residual mitigation plan has been completed to demonstrate progress.• Meaningful Use Attestation – Another area for debate relates to the core measure for Meaningful Use in which eligible professionals/hospitals must, “Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” 14 The objective of this measure is that organizations must, “Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.” 15 As a result of this EHR-related statement, many organizations believe the HIPAA risk analysis applies only to ePHI contained within the EHR technology. Each of these organizations should take a pause and consult with legal counsel to confirm they are correct. Keep in mind that organizations are required to comply with the HIPAA Security risk analysis safeguard in its entirety, which must address all ePHI that the organization stores, processes or transmits. Naturally, a subset of that ePHI would be that which is contained within the EHR technology. Numerous organizations are interpreting this Meaningful Use measure to mean they need to focus their more detailed risk analysis efforts only on ePHI contained within the EHR, and that remaining risk analysis efforts do not have to be as rigorous. In our view, this is a misconception. If management’s risk analysis and risk management efforts do not focus on all ePHI, we believe the organization will be exposed if a breach occurs or it is selected for audit.SummaryThe HIPAA Security Rule compliance adventure continues for the healthcare industry. Whetherit depends on an ounce of prevention or a pound of cure, each covered entity dictates itsrespective compliance storyline through its approach. This white paper recommends a proactiveapproach. To that end, we have suggested action steps and key areas for maintainingdocumentation that will facilitate working through the maze. Reflecting on Benjamin Franklin’sadvice, we can conclude that good intentions with a “wait and see” approach do not preventbreaches nor mitigate loss. Preparation does.Please note that the information in this paper is not intended to be legal analysis or advice, nor does itpurport to address every issue that may impact companies or every government response. Organizationsshould seek the advice of legal counsel or other appropriate advisors on specific questions as they relateto their unique circumstances.13 Note: Impact Severity x Occurrence Likelihood = Inherent Risk. Inherent Risk – Safeguards (Controls) = ResidualRisk.14 Department of Health and Human Services, Centers for Medicare & Medicaid Services, “Medicare and MedicaidPrograms; Electronic Health Record Incentive Program; Final Rule,” Federal Register, Vol. 75, No. 144, page 44369.15 Ibid, page 44368. Protiviti | 7
  8. 8. About ProtivitiProtiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems infinance, technology, operations, governance, risk and internal audit. Through our network ofmore than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE®1000 and Global 500 companies. We also work with smaller, growing companies, includingthose looking to go public, as well as with government agencies.Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in1948, Robert Half International is a member of the S&P 500 index.How Can Protiviti Help?Protiviti continues to monitor the evolution of regulations impacting the protection of ePHI andrelated audit requirements. We have developed our approach to assist covered entities inpreparing for and implementing measures to enable compliance. Our expertise in compliance,process improvement and technology helps organizations not only prepare for a potential audit,but also implement the institutional changes needed to improve HIPAA Security Rule practicesand ensure a sustainable program is implemented.Whether you are aware of deficiencies in your program, are uncertain of the sufficiency ofcurrent efforts or would like an independent evaluation to gain additional peace of mind, Protivitican assist you. We perform full-scope compliance evaluations, assess and develop robust riskanalysis and risk management programs, develop and execute effective training initiatives, anddesign and enhance Meaningful Use programs.Protiviti has a strong security knowledge base and subject-matter experts in today’s leadingsecurity frameworks, including:• HITRUST Common Security Framework (CSF) – A healthcare-specific security framework built from other leading security frameworks. Protiviti is a Certified HITRUST CSF Assessor.• PCI – Protiviti is a qualified security assessor (QSA) for the payment card industry (PCI) security framework.• ISO 27001 and 27002 – International Standards Organization’s (ISO) security management standards.• ITIL – IT Infrastructure Library’s (ITIL) cohesive best practices framework for delivering business value through IT service management.• COBIT – Control Objectives for Information and related Technology (COBIT) is an IT governance framework for implementing a control structure to address business risks.Regardless of your organization’s security posture, security framework, organizational structureor current challenges, Protiviti has the resources and knowledge to help you implementsolutions to address your issues.ContactSusan Haseley Kyle Furtis Alex Robison+1.469.374.2435 +1.212.399.8636 +1.602.273.8022susan.haseley@protiviti.com kyle.furtis@protiviti.com alex.robison@protiviti.comWilliam Thomas Richard Williams+1.813.348.3373 +1.469.374.2469william.thomas@protiviti.com richard.williams@protiviti.com© 2012 Protiviti Inc. An Equal Opportunity Employer.Protiviti is not licensed or registered as a public accounting firm anddoes not issue opinions on financial statements or offer attestation services.