In July, the HHS’ Office of Civil Rights (OCR) announced that they had appointed consulting firm KPMG to conduct up to 150 HIPAA audits of covered entities and business associates by the end of 2012. The implementation of the audit program fulfills a compliance enforcement mandate of the 2009 HITECH Act.
The KPMG contract enables OCR to put “feet on the street,” while retaining an oversight role in the process. Sue McAndrew, OCR’s deputy director for health information privacy, confirms that some audits could even result in OCR enforcement action. “Certainly, if we uncover in the course of the audit major violations or potential violations … we will be dealing with those … in the same manner we would through our formal enforcement process,” she said recently, according to www.healthcareinfosecurity.com
Details of the focus and scope of HIPAA audits have yet to be fully defined. However a few things are clear. Each audit will follow a “typical onsite audit process” with an in-person visit and interviews with key management personnel such as the CIO, privacy officer, legal counsel, and health information management/medical records director. Draft reports will be shared with the organization before they are completed, and management responses will be incorporated in the final audit report.
Fair enough, but further details are a little murkier. Ms. McAndrew goes on to say that the audits will “initially offer comprehensive assessments of compliance with the HIPAA privacy and security rules rather than specific narrower issues.” For covered entities, it must be a little confusing to see the words “comprehensive assessment” juxtaposed with “rather than specific, narrower issues.”
At Redspin, we use the term “comprehensive security assessments” to mean that we include specific, narrow issues. After all, we’re guided by the HIPAA Security Rule— 84 pages long, even in its simplified version! See following link: (Administrative Simplification Regulation Text, March 2006). It’s also unclear how the OCR and KMPG will select organizations to audit. While the projected number of 150 audits in 2012 makes the likelihood of an audit visit to your organization fairly low – keep in mind, OCR has a separate initiative underway to train State Attorneys General on the HIPAA audit process as well.
We think it would be prudent for a healthcare organization to consider what it can do now, knowing there’s a possibility of a HIPAA audit sometime in the future. An old Scouting motto comes to mind: “Be Prepared.” This is a good time for covered entities and business associates to review their HIPAA privacy and security programs and ensure that their documentation is up to date.
Most importantly, given the increased civil penalties and liabilities for PHI breach, it can now be considered a fiduciary responsibility for healthcare companies to assess whether their security programs are effectively safeguarding electronic protected health information (ePHI). Organizations participating in the EHR “meaningful use” plan already have a compelling incentive to “conduct or update a security risk analysis” but note, with or without meaningful use, this is a mandatory requirement for all covered entities and business associates, taken verbatim from the HIPAA Security Rule itself.
To help you prepare, let’s fast forward to what an actual HIPAA security audit may look like. The first thing any security auditor looks for is the policies and controls that you have in place, how they are documented, implemented, communicated, enforced, and lastly, how effective they’ve been. They’ll want to review whether or not you have identified vulnerabilities within your organization in the past and what steps you’ve taken to mitigate them. At Redspin, we’ve worked with IT auditors for nearly a decade in our banking and financial practice. We’ve found that companies that have previously engaged independent firms like Redspin to conduct comprehensive Security Risk Assessments (rather than checkbox compliance solutions) benefit greatly when audit time rolls around.
First impressions are always important, and when an auditor sees that you’ve already conducted a Security Risk Assessment in accordance to the HIPAA Security Rule, they know their work is more than halfway-done. And so is yours. The follow-up demands on your organization’s time and resources will be much lighter and the outcome is virtually guaranteed to be more positive. You’ll be able to show well-documented policies and procedures, an objective rating of the effectiveness of your controls, the actions management has taken to address known vulnerabilities and how your security risk posture has improved over time.
When Redspin conducts a Security Risk Analysis, we make all of the information above accessible to you from our secure, web-base client portal. This further enhances your ability to navigate through large amounts of information quickly and present summary results in a compelling, graphical, easy-to-understand format. Lastly, if requested, we’ll stand side-by-side with you during an audit. Redspin security engineers are always available to you to discuss the results from your assessments. We’re also happy to discuss those findings, validations and final reports with outside auditors at no additional charge.