The OIG (the Office of Inspector General – the audit arm of the Department of Health& Human Services) recently released their report on the CMS’s (Centers for Medicare & Medicaid Services) oversight and enforcement regarding hospitals’ HIPAA Security Rule implementation. In the scathing report* the OIG clearly characterizes the current regulatory compliance efforts by the CMS as lax. While the report is full of interesting statistics about the extent that the hospitals it audited as part of the analysis were lacking in security, I thought, it made sense to discuss the inevitable outcome for hospitals and frankly any organization covered by the HIPAA Security Rule.
What the Report Says About the Future
1. Expect post-breach due-diligence
In rock climbing, we had a saying: it’s not the fall that kills you, its the landing. Well that certainly rings true with a data breach. If you’ve read the news lately, you’re likely aware of the scrutiny into organizations that have experienced a breach. Not only does the true financial cost and liability impact become clear in the weeks and months following a breach, but the entire risk management strategy of the organization comes under a microscope. And for those organizations that fall within HIPAA Security Rule compliance requirements, that is echoed loud and clear in this report, in which it is stated that the CMS:
“performs compliance reviews of covered entities in response to breaches of unsecured protected health information affecting 500 or more individuals”.
So, while many healthcare CIOs have never been through a compliance audit but may expect one in the event of an ePHI data breach – they can be assured of an audit after this report. And when the microscope comes out, here are the kinds of questions the CMS will be asking:
- Sure you have security controls, but are they actually working?
- Does executive management have a clear understanding of their risk profile?
- Does your healthcare organization have a structured and systematic approach to risk management?
- Are you aware of, and do you follow-up on, deficiencies in your security program?
So if your security is lax, the effectiveness of your program will become clear in the post breach analysis.
2. Expect Pro-Active Audits
While it may not be surprising to CIOs to expect some regulatory due-diligence into their information security programs after a breach, it may be more of a surprise that periodic or even annual regulatory security audits by the CMS are inevitable. Not only are state Attorneys General getting trained by the federal government on HIPAA enforcement, but the OIG is clearly indicating that pro-active CMS auditing is what it would like to see. Healthcare is unique in that, while it has clear regulatory guidance on security (the HIPAA Security Rule), it has not been the subject to consistent oversight in the form of audits. In other industries (financial services for example) CIOs have for years come to expect annual onsite visits from the regulators in which their security programs and controls are reviewed. Here are some of the OIG statements showing the current state of affairs (lax auditing and minimal oversight) is not appropriate moving forward:
INSUFFICIENT OVERSIGHT AND ENFORCEMENT ACTIONS
CMS’s oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Security Rule.
Here is another telling indicator from the report:
Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so. The only reviews OCR mentioned were related to our hospital audits. In the absence of evidence of a more expansive review process, we encourage OCR to continue the compliance review process begun by CMS in 2009.
So while it’s clear that not only should healthcare organizations expect pro-active audits from the State Attorneys General, but at the federal level as well, from the CMS.
3. Expect the CMS to take a broad view of security
At Redspin, we’ve always been a fan of taking a practical view of security and compliance. It looks like the regulatory environment is poised to take a similar view.
We recommend that OCR continue the compliance review process that CMS began in 2009 and implement procedures for conducting compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities.
From a practicality standpoint this is a good thing. However, for those entities that are deploying controls just because they have to, rather than really putting thought into the deployment to ensure the controls are working as intended will find that the existence of the control itself does not free them from regulatory liability.
- Don’t just treat a HIPAA Security Risk Analysis like a compliance check-the-box item on your agenda. Consider the fact that a meaningful HIPAA Security Risk Analysis is the foundation for effective risk management and leverage the effort to build a robust and systematic information security program that will maximize HIPAA Security Rule compliance while minimizing risk of ePHI data breach.
- Understand that by focusing on the intent of the HIPAA Security Rule you can achieve both security and compliance. However, the inverse is not true : focusing on compliance does not necessarily buy you security in the risk management sense of the word – in fact in the OIG’s opinion, it won’t even buy you compliance.
- Always remember it’s not the existence of a control that matters, rather it’s the effectiveness.
While additional oversight may seem daunting, the good news is that hospitals and other healthcare organizations can get lasting practical and compliance value from doing an annual HIPAA Security Risk Analysis.
- It can be used to meet the meaningful use core objective of safeguarding ePHI.
- it’s the foundation of a robust information security program.
- It can be used to provide executive management visibility into their risk profile and overall IT environment.
- It can lower your overall risk profile, by identifying and prioritizing critical risk.
- In the event of a CMS audit – it will provide evidence that your organization has a robust security foundation and systematic information security program.
* Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight (A-04-08-05069)