Within the 2009 American Recovery and Reinvestment Act (ARRA) was a legislative gem, the HITECH Act. HITECH provided a much needed “shot in the arm” (no pun intended) for the vanguard of healthcare technology advocates (including industry leaders, academics, economists, politicians, and concerned citizens), who had been promoting the necessity of modernizing the U.S. healthcare system for years.
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
1. What to Expect from a HIPAA Security Audit
Within the 2009 American Recovery and Reinvestment Act (ARRA) was a legislative gem, the HITECH Act.
HITECH provided a much needed “shot in the arm” (no pun intended) for the vanguard of healthcare technology
advocates (including industry leaders, academics, economists, politicians, and concerned citizens), who had been
promoting the necessity of modernizing the U.S. healthcare system for years.
Under HITECH, the Center for Medicare Services (CMS) launched its “meaningful use” program, a 4-stage plan to
transition from paper-based to electronic medical records (EMR). Stage 1 “meaningful use” specifically calls out core
requirements for covered entities and eligible providers. Benchmarks, goals, and deadlines have been established to
measure the adoption, implementation, and utilization of EMR. Stage 2 requirements will be published in the summer
of 2012. Although early in its lifecycle, the ultimate success of the “meaningful use” program is already widely
considered the cornerstone of IT health transformation.
Although “meaningful use” is not mandated by law, it might as well be. By attesting that they have met Stage 1
requirements, hospitals are eligible for up to a $4 million base payment plus a multiplier for 6 years on Medicare
reimbursements. The program is a combination of financial incentives (the “carrot”) and disincentives, further
supported by existing laws enacted under HIPAA years ago. For example, the HIPAA Security Rule has been around
since 2005. At that time, IT usage in healthcare was limited, and the regulations governing it, relatively toothless.
But “meaningful use,” with its incentives for the adoption of electronic health records (EHR), and HITECH with
increased monetary penalties for the breach of protected health information (PHI) both breathed new life into the
HIPAA Security Rule.
In 2011, the impetus for covered entities to improve their privacy policies and IT security infrastructure has also been
driven by the Stage 1 EHR meaningful use incentive plan. Part of the requirements for attestation is to have conducted
a HIPAA Security Risk Analysis. To fulfill this mandatory requirement, most hospitals hire a 3rd party security
assessment firm such as Redspin, who are experts in IT security and compliance, and can deliver an objective,
unbiased report.
While the “carrot” has been very motivational (over 85% of hospitals say they will attest to Stage 1 by the end of
2012), the “sticks” of increased breach penalties and government-ordered HIPAA security audits have not yet had an
impact in any significant way. That will change in 2012.
Last June, the Department of Health and Human Services (HHS)‟ Office of Civil Rights (OCR) awarded $9.2 million
to KPMG, under Contract No. GS23F8127H, to support OCR in creating a documented HIPAA audit protocol and
conduct such audits on 150 entities by the end of 2012. The 150 organizations selected will include both covered
entities (hospitals) and their business associates (BAs).
As we move toward 2012, the reality of increased breach penalties and government-sponsored audits should be “top
of mind” for the executive leadership at hospitals and hospital systems. Prudent healthcare CIO‟s will naturally want
to first conduct their own security risk analysis before any government auditors show up at their door. Indeed,
Redspin has worked with dozens of “early adopters” in 2011 who hired us to conduct a HIPAA risk assessment to
meet Stage 1 meaningful use deadlines. These admirable entities are well ahead of the game now should they be
selected for an OCR/HIPAA audit as devised by KPMG later this year.
www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177
2. MOVING TARGET
In 2011, The majority of hospitals were not ready to meet the full set of meaningful use requirements and others were
hoping for more guidance from CMS/OCR in regard to specific risk analysis or HIPAA audit scope. Last May, the
agencies were vague at best when the question of what the HIPAA audit protocol would look like was raised at the
Annual HIPAA Security Rule Conference in Washington, D.C. They deferred on the question initially then went on
to stress how seriously they planned to take their enforcement responsibility, even presenting dates/cities for an
upcoming HIPAA Audit Policy and Procedures training program for State Attorneys‟ General.
Most attendees felt that this was putting the cart before the horse. OCR had yet to even award the contract for the
development of the HIPAA Audit Policy and Procedures (which went to KMPG a month later). Adding fuel to the
fire, OCR suggested that the AG training material would unlikely ever be publicly- released. When pressed by an
attendee, the OCR representative deferred to the HIPAA Security Rule “which has been around forever” and
suggested that a good starting point for all would be to read or reread that legislation.
We agreed. For Redspin‟s scope of work, we see no possibility for ambiguity. First, our HIPAA Security Risk Audits/
Assessments are conducted in strict accordance with the HIPAA Privacy and Security Rules (45 CFR 160 and 164
Sub-parts C and E) Second, we consider IT security as a process rather than a project. We test, report findings,
suggest solutions, validate remediation, and test again at a later date. There are ample opportunities to adjust our
scope of work along the way so that we meet compliance objectives. This has always been the way to work with
government-backed industry audits. Times change. Technologies advance. With our flexible assessment approach,
we‟re able to stay in lock-step with the auditors and are thus able to deliver the highest value to our clients.
A good example is likely already at hand. Redspin believes that a large concern at hospitals should be the oversight
of their business associates, a complex and cumbersome, thus oft-neglected responsibility. Particularly when one
considers the sobering statistic that since September 2009, 55% of all major breach incidents (those involving 500 or
more individual‟s records) occurred at BAs and that less than ½ of healthcare organizations conduct any kind of
pre- or post- contract compliance assessments of their BAs. Thus, Redspin has recently added a business associate
portfolio risk assessment service to its offerings.
For business associates themselves, protecting the security and privacy of ePHI/PHI will suddenly become both a
fiduciary responsibility and potentially a competitive issue. The OCR has already confirmed that direct liability for a
breach will extend to BAs at the end of 2012 raising the specter of civil penalties. As hospitals begin to feel increased
audit pressure, they may insist that BAs provide them with documented policies, procedures, and third-party network
security assessments prior to signing or renewing business contracts. Publicly- disclosed violations or civil penalties
assessed to BAs could be brand-damaging at the least and a company killer at their most severe.
A NEW SHERIFF IN TOWN
On their part, OCR is going full steam ahead, at least in terms of continuing to stress enforcement. The KPMG
contract itself requires their auditors to inform organizations in advance that “OCR may initiate further compliance
enforcement action based on the content and findings of the audit.”
In early September, OCR hired Leon Rodriguez as its new director. He had little more to add on the specifics of the
upcoming audit program other than confirming that a KPMG “pilot program” is imminent during which OCR will
conduct a handful of audits to assess and refine the methodology itself.
But as former prosecutor and defense attorney, Mr. Rodriguez‟ bias towards enforcement is becoming clear. During
a recent interview with HealthcareInfoSecurity, he was quoted as saying “enforcement promotes compliance. The fact
that covered entities out there know that they are at risk for penalties is something that, in fact, in many cases will
promote compliance."
www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177
3. He went on to say that he plans to ramp up enforcement of HIPAA with resolution agreements, civil monetary
penalties, and other enforcement actions. "It's always going to be a high priority to focus on those cases that involve
the most egregious conduct - the most serious violations - and also the cases that have the most deterrent value," he
stressed.
In another paragraph, he mentions the word “enforcement” three times in three sentences. In another, he describes
larger “enforcement opportunities” and describes focused efforts to help his people learn to put “a case together.”
HOW WE CAN HELP
If stricter enforcement is indeed coming soon, how should top executives of healthcare organizations (covered entities
and business associates) best prepare for the inevitable day when the government‟s HIPAA Audit team knocks on the
door? Unlike some Beltway pundits, we believe that OCR will see these audits as enforcement opportunities rather
than educational sessions. And unlike other IT security consulting firms, we urge you not to rely solely on the fact
that you‟ve made “good faith” efforts to comply.
Redspin„s mission is to help healthcare organizations safeguard and protect private and confidential health
information. We also have the domain knowledge, business experience and professional savvy to prepare you for a
HIPAA Security Audit. Here are the ten steps we suggest that will protect your organization and keep the auditors
satisfied.
1. Conduct a comprehensive, HIPAA security risk analysis and IT security assessment as soon as possible.
Many organizations make the mistake of deferring this work until some other project is completed, waiting for
a different budget cycle, waiting for a new hire to start, or for some other organizational change to take place.
Don‟t wait!
2. Ensure that your 3rd party IT security assessment provider follows the administrative, physical, and technical
safeguards of the HIPAA Security Rule chapter and verse.
3. Use the Security Risk Analysis Process to organize all relevant documentation. HIPAA Auditors will want
copies of everything. So, not only do you want these policies and procedures to be up-to-date and updated
regularly but make them easy to locate. Nothing is more unnerving than scrambling through file cabinets
under a watchful eye.
4. Plan Your Work. Immediately upon completion of the risk analysis, put an action plan together to address all
findings. You don‟t need to have everything fixed by the time the government audit takes place but you need a
plan in place with assigned tasks and due dates to demonstrate that you‟re aware of the findings and that all
meaningful vulnerabilities are being addressed.
5. Get to Work. The more findings and vulnerabilities you‟ve corrected from the original report, the more
diligent and competent your organization will look to the auditors.
6. Minute the meetings in which the results are discussed and action items assigned.
7. Insist that your 3rd party assessment firm provide you with a hard copy of your assessment report and secure,
online interactive access to the findings. An interactive version of your risk analysis provides you with the
ability to show the auditors up-to-the minute process on your remediation plan. Remember: Security is not a
project; it is a process.
www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177
4. 8. Involve senior management early and often. Form a governance, privacy, and IT security steering committee if
possible. You‟ll need executive support to resolve competing interests among different functional groups. In
addition, the auditors will conduct interviews during site visits with your leadership including the CIO, Chief
Counsel, and medical records director. You don‟t want this to be the first they‟ve heard of the undertaking.
9. Demonstrate that you understand the breach notification procedure and explain how it works in your
organizational context.
10. Demonstrate a formal internal sanction policy for internal privacy violations and non-adherence to policy.
Show examples of past instances where such sanctions have been issued in accordance with policy.
At the end of this process, there will be more benefit to your organization than just a happy HIPAA auditor.
"Across the board, regardless of industry or standard, companies that consistently comply with security requirements
and standards save three times more in security-related expenses annually than companies that are categorized as non-
compliant." (Tripwire/Ponemon, Jan 2011)
www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177