The Department of Health and Human Services’ Offices for Civil Rights (OCR) have finally published the official protocol and detailed procedures guiding their HIPAA Audit program. The protocol, developed by subcontractor KMPG together with OCR, includes 77 evaluation areas for security and another 88 areas for privacy/breach notification. Here’s a link to the publication which is conveniently keyword searchable. http://ocrnotifications.hhs.gov/hipaa.html
Of particular interest to Redspin is the section dedicated to IT security. As former White House Cybersecurity Czar Howard Schmidt said recently, “Without security, there can be no privacy.” We were pleased, but not surprised, to see that the audit protocol maps directly to the HIPAA Security Rule sections§164.308, §164.310 and §164.312.
For the past several years, we’ve advised our clients that any official HIPAA security audit program would necessarily revert back to existing HIPAA Security Rule provisions “on the books” since 2005. It’s how Redspin designed its own methodology for our HIPAA Security Risk Assessments and we were 100% confident that our approach would pass muster with any subsequent interpretations.
Further, at the June 7th HIPAA Security Rule conference, Linda Sanchez, Senior Advisor and Health Information Privacy Lead at OCR, reported that the results of the first 20 OCR/KPMG pilot audits showed that security compliance was a far more troublesome area than privacy compliance. More specifically, 74% of the findings were security gaps or breach issues compared to 26% policy violations. Against the backdrop of the transition of the healthcare industry from a paper-based system to electronic health records, Redspin continually stresses that IT security is job one.
OCR concurs. Ms. Sanchez went on to recommend “next steps” that all covered entities should implement not simply as preparation for a potential audit but as best practices. Her first suggestion? Conduct a robust review and assessment. Next? Determine stakeholders – all lines of business that are impacted by HIPAA regulations. Then identify all of the protected health information (PHI) within the organization and map its flow within the organization and to/from business partners.
In conclusion, the audit protocol itself is informative at least in the sense that there are no surprises, but neither does it offer any more explicit guidance than what is in the HIPAA Security Rule. Redspin continues to advise our clients that safeguarding PHI is the primary objective. By conducting a comprehensive security risk analysis and implementing a remediation plan that address the findings in a diligent and timely manner, a covered entity will not only improve its security posture and reduce risk, but will also have nothing to fear from an OCR/KPMG audit.