Many healthcare organizations breathed a collective sigh of relief when the Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) finally made their HIPAA audit protocol publicly available this past June. It can be accessed here. As a refresher, Section 13411 of the 2009 HITECH Act required that HHS “provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of (HITECH and HIPAA), comply with such requirements.” The protocol was developed under OCR collaboration with “Big 4” consulting firm KPMG.
Uncertainty persisted since late last year when it was announced that OCR/KPMG had completed work on the audit protocols. Indeed, even the first 20 audits were conducted before the protocol was made public. Not knowing what they might be audited for had raised anxiety levels among some covered entities. Many of Redspin’s clients and prospective clients asked us for guidance during the 7 or 8 months prior to the protocol publication. We advised all who asked that if they wanted an early look at the HIPAA security audit protocol, they need only refer back to the HIPAA Security Rule itself. We posted that the federal government, even with KPMG’s potential bias (since they are also conducting the first 115 audits), could not stray very far from a law that had been on the books since 2005.
We were right. Each of the 77 audit areas of performance evaluation that relate to IT security cite Security Rule section numbers and use the exact Security Rule language to describe “Established Performance Criteria.” Years ago, Redspin mapped our own HIPAA Risk Analysis and Security Assessment to the Security Rule so we had a good idea of what to look for in the OCR/KPMG document.
However, there is one very important difference between Redspin’s scope of work and any audit protocol. We’ve always maintained that the HIPAA Security Rule informs our work but we also consider the Rule and any protocols derived thereunder a subset of the work we do. What the HIPAA Security Rule and the OCR audit protocols fail to dictate is the comprehensive security testing that is also required to truly be in compliance.
Redspin’s approach has been instrumental in our success in helping nearly 100 hospitals meet their security requirements under the Stage 1 EHR “Meaningful Use” Incentive Program. Core Measure 14 of Meaningful Use mandates that hospitals conduct a security Risk Analysis in accordance with the requirements under 45 CFR 164.308(a)(1), implement security updates as necessary, and correct security deficiencies identified as part of its risk management process.
Thus, while most people generally associate HIPAA with privacy, the migration to electronic health records has placed the emphasis squarely on security. As Howard Schultz, former White House Cybersecurity Czar has said, “Without security, there is no privacy.”
This shift is vitally important to understand. Most hospitals’ IT staff members do not have the expertise or tools needed to accurately perform a Core Measure 14 Risk Analysis. HIPAA consultants, particularly those who have been in the industry for many years, invariably understand the privacy regulations far better than IT security. Even the auditors empowered by OCR are likely to emphasize privacy and notification policy and procedures while missing the larger threat to safeguarding protected health information (PHI) that may manifest as an erroneous firewall configuration, open port, or default password on a critical system.
Our point is that comprehensive security testing in healthcare organizations is an absolute must. Today’s hospital IT infrastructures are an order of magnitude more complex than they were just two years ago. Electronic health records have raised the stakes for data breach; a simple oversight, an insecure password, a theft of a single portable electronic device – can now impact thousands if not millions of patients and result in a major financial and reputational hit to a healthcare provider.
The HIPAA Security Rule and the OCR/KPMG HIPAA audit protocol provide compliance guidance but ultimately they are just words on paper. Truly safeguarding protected health information means digging in technically with security experts (internally or with outside consultants such as Redspin). IT security itself is a process, not an audit. It involves testing your infrastructure, your systems, your applications, your employees, and your business associates. It is about finding vulnerabilities, implementing remediation plans, validating that the appropriate fixes have been made, and building periodic, repeat IT security testing into your overall risk management program.