What to Expect from a HIPAA Security Audit

Within the 2009 American Recovery and Reinvestment Act (ARRA) was a legislative gem, the HITECH Act. HITECH provided a much needed shot in the arm (no pun intended) for the vanguard of healthcare technology advocates (including industry leaders, academics, economists, politicians, and concerned citizens), who had been promoting the necessity of modernizing the U.S. healthcare system for years. Under HITECH, the Center for Medicare Services (CMS) launched its meaningful use program, a 4-stage plan to transition from paper-based to electronic medical records (EMR). Stage 1 meaningful use specifically calls out core requirements for covered entities and eligible providers. Benchmarks, goals, and deadlines have been established to measure the adoption, implementation, and utilization of EMR. Stage 2 requirements will be published in the summer of 2012. Although early in its lifecycle, the ultimate success of the meaningful use program is already widely considered the cornerstone of IT health transformation. Although meaningful use is not mandated by law, it might as well be. By attesting that they have met Stage 1 requirements, hospitals are eligible for up to a $4 million base payment plus a multiplier for 6 years on Medicare reimbursements. The program is a combination of financial incentives (the carrot) and disincentives, further supported by existing laws enacted under HIPAA years ago. For example, the HIPAA Security Rule has been around since 2005. At that time, IT usage in healthcare was limited, and the regulations governing it, relatively toothless. But meaningful use, with its incentives for the adoption of electronic health records (EHR), and HITECH with increased monetary penalties for the breach of protected health information (PHI) both breathed new life into the HIPAA Security Rule. In 2011, the impetus for covered entities to improve their privacy policies and IT security infrastructure has also been driven by the Stage 1 EHR meaningful use incentive plan. Part of the requirements for attestation is to have conducted a HIPAA Security Risk Analysis. To fulfill this mandatory requirement, most hospitals hire a 3rd party security assessment firm such as Redspin, who are experts in IT security and compliance, and can deliver an objective, unbiased report. While the carrot has been very motivational (over 85% of hospitals say they will attest to Stage 1 by the end of 2012), the sticks of increased breach penalties and government-ordered HIPAA security audits have not yet had an impact in any significant way. That will change in 2012. Last June, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) awarded $9.2 million to KPMG, under Contract No. GS23F8127H, to support OCR in creating a documented HIPAA audit protocol and conduct such audits on 150 entities by the end of 2012. The 150 organizations selected will include both covered entities (hospitals) and their business associates (BAs). As we move toward 2012, the reality of increased breach penalties and government-sponsored audits should be top of mind for the executive leadership at hospitals and hospital systems. Prudent healthcare CIOs will naturally want to first conduct their own security risk analysis before any government auditors show up at their door. Indeed, Redspin has worked with dozens of early adopters in 2011 who hired us to conduct a HIPAA risk assessment to meet Stage 1 meaningful use deadlines. These admirable entities are well ahead of the game now should they be selected for an OCR/HIPAA audit as devised by KPMG later this year.
www.redspin.com Meaningful Healthcare IT Security 800.721.9177

MOVING TARGET In 2011, The majority of hospitals were not ready to meet the full set of meaningful use requirements and others were hoping for more guidance from CMS/OCR in regard to specific risk analysis or HIPAA audit scope. Last May, the agencies were vague at best when the question of what the HIPAA audit protocol would look like was raised at the Annual HIPAA Security Rule Conference in Washington, D.C. They deferred on the question initially then went on to stress how seriously they planned to take their enforcement responsibility, even presenting dates/cities for an upcoming HIPAA Audit Policy and Procedures training program for State Attorneys General. Most attendees felt that this was putting the cart before the horse. OCR had yet to even award the contract for the development of the HIPAA Audit Policy and Procedures (which went to KMPG a month later). Adding fuel to the fire, OCR suggested that the AG training material would unlikely ever be publicly- released. When pressed by an attendee, the OCR representative deferred to the HIPAA Security Rule which has been around forever and suggested that a good starting point for all would be to read or reread that legislation. We agreed. For Redspins scope of work, we see no possibility for ambiguity. First, our HIPAA Security Risk Audits/ Assessments are conducted in strict accordance with the HIPAA Privacy and Security Rules (45 CFR 160 and 164 Sub-parts C and E) Second, we consider IT security as a process rather than a project. We test, report findings, suggest solutions, validate remediation, and test again at a later date. There are ample opportunities to adjust our scope of work along the way so that we meet compliance objectives. This has always been the way to work with government-backed industry audits. Times change. Technologies advance. With our flexible assessment approach, were able to stay in lock-step with the auditors and are thus able to deliver the highest value to our clients. A good example is likely already at hand. Redspin believes that a large concern at hospitals should be the oversight of their business associates, a complex and cumbersome, thus oft-neglected responsibility. Particularly when one considers the sobering statistic that since September 2009, 55% of all major breach incidents (those involving 500 or more individuals records) occurred at BAs and that less than of healthcare organizations conduct any kind of pre- or post- contract compliance assessments of their BAs. Thus, Redspin has recently added a business associate portfolio risk assessment service to its offerings. For business associates themselves, protecting the security and privacy of ePHI/PHI will suddenly become both a fiduciary responsibility and potentially a competitive issue. The OCR has already confirmed that direct liability for a breach will extend to BAs at the end of 2012 raising the specter of civil penalties. As hospitals begin to feel increased audit pressure, they may insist that BAs provide them with documented policies, procedures, and third-party network security assessments prior to signing or renewing business contracts. Publicly- disclosed violations or civil penalties assessed to BAs could be brand-damaging at the least and a company killer at their most severe. A NEW SHERIFF IN TOWN On their part, OCR is going full steam ahead, at least in terms of continuing to stress enforcement. The KPMG contract itself requires their auditors to inform organizations in advance that OCR may initiate further compliance enforcement action based on the content and findings of the audit. In early September, OCR hired Leon Rodriguez as its new director. He had little more to add on the specifics of the upcoming audit program other than confirming that a KPMG pilot program is imminent during which OCR will conduct a handful of audits to assess and refine the methodology itself. But as former prosecutor and defense attorney, Mr. Rodriguez bias towards enforcement is becoming clear. During a recent interview with HealthcareInfoSecurity, he was quoted as saying enforcement promotes compliance. The fact that covered entities out there know that they are at risk for penalties is something that, in fact, in many cases will promote compliance."
www.redspin.com Meaningful Healthcare IT Security 800.721.9177

He went on to say that he plans to ramp up enforcement of HIPAA with resolution agreements, civil monetary penalties, and other enforcement actions. "It's always going to be a high priority to focus on those cases that involve the most egregious conduct - the most serious violations - and also the cases that have the most deterrent value," he stressed. In another paragraph, he mentions the word enforcement three times in three sentences. In another, he describes larger enforcement opportunities and describes focused efforts to help his people learn to put a case together. HOW WE CAN HELP If stricter enforcement is indeed coming soon, how should top executives of healthcare organizations (covered entities and business associates) best prepare for the inevitable day when the governments HIPAA Audit team knocks on the door? Unlike some Beltway pundits, we believe that OCR will see these audits as enforcement opportunities rather than educational sessions. And unlike other IT security consulting firms, we urge you not to rely solely on the fact that youve made good faith efforts to comply. Redspins mission is to help healthcare organizations safeguard and protect private and confidential health information. We also have the domain knowledge, business experience and professional savvy to prepare you for a HIPAA Security Audit. Here are the ten steps we suggest that will protect your organization and keep the auditors satisfied. 1. Conduct a comprehensive, HIPAA security risk analysis and IT security assessment as soon as possible. Many organizations make the mistake of deferring this work until some other project is completed, waiting for a different budget cycle, waiting for a new hire to start, or for some other organizational change to take place. Dont wait! 2. Ensure that your 3rd party IT security assessment provider follows the administrative, physical, and technical safeguards of the HIPAA Security Rule chapter and verse. 3. Use the Security Risk Analysis Process to organize all relevant documentation. HIPAA Auditors will want copies of everything. So, not only do you want these policies and procedures to be up-to-date and updated regularly but make them easy to locate. Nothing is more unnerving than scrambling through file cabinets under a watchful eye. 4. Plan Your Work. Immediately upon completion of the risk analysis, put an action plan together to address all findings. You dont need to have everything fixed by the time the government audit takes place but you need a plan in place with assigned tasks and due dates to demonstrate that youre aware of the findings and that all meaningful vulnerabilities are being addressed. 5. Get to Work. The more findings and vulnerabilities youve corrected from the original report, the more diligent and competent your organization will look to the auditors. 6. Minute the meetings in which the results are discussed and action items assigned. 7. Insist that your 3rd party assessment firm provide you with a hard copy of your assessment report and secure, online interactive access to the findings. An interactive version of your risk analysis provides you with the ability to show the auditors up-to-the minute process on your remediation plan. Remember: Security is not a project; it is a process.

www.redspin.com

Meaningful Healthcare IT Security

800.721.9177

8. Involve senior management early and often. Form a governance, privacy, and IT security steering committee if possible. Youll need executive support to resolve competing interests among different functional groups. In addition, the auditors will conduct interviews during site visits with your leadership including the CIO, Chief Counsel, and medical records director. You dont want this to be the first theyve heard of the undertaking. 9. Demonstrate that you understand the breach notification procedure and explain how it works in your organizational context. 10. Demonstrate a formal internal sanction policy for internal privacy violations and non-adherence to policy. Show examples of past instances where such sanctions have been issued in accordance with policy. At the end of this process, there will be more benefit to your organization than just a happy HIPAA auditor. "Across the board, regardless of industry or standard, companies that consistently comply with security requirements and standards save three times more in security-related expenses annually than companies that are categorized as noncompliant." (Tripwire/Ponemon, Jan 2011)

www.redspin.com

Meaningful Healthcare IT Security

800.721.9177