The HHS settlement agreement states that disks containing individuals' HIPAA-protected health records were taken from employees' cars on at least five occasions in 2005 and 2006. The agreement also mandates that Providence Health and Services use encryption and other data protection policies to prevent the opening of authorized files. Providence must also train employees on security processes and issue compliance reports to HHS for three years.
This news should eliminate the false perception among healthcare organizations that HIPAA compliance is optional. Now that fines and monetary penalties are on the table, it's time for enterprises to shore up their HIPAA compliance programs, and that means being prepared for that next audit. Here are several steps enterprises can take to ensure a successful HIPAA audit.
What are the trends?
A quick review of HHS compliance and enforcement data shows that the top five HIPAA compliance and enforcement issues during the past few years remain virtually unchanged. Among others, common problems include impermissible uses and disclosures, safeguards, access control. These issues are recurring due to the fact that they are the core of a successful HIPAA compliance program. They involve controls that range across the full spectrum of technical, operational and management controls. Failures of these controls may lead to inappropriate disclosure and thus bring negative attention to the organization. Unfortunately, while the overall security posture is stagnant across the healthcare industry, the number of complaints filed against an organization due to the loss or exposure of sensitive information continues to rise. Such a scenario will generally lead to a more focused audit of that particular organization as trends develop and become recognized across the industry. For example, as more laptops have been lost and/or stolen, audits have focused on the policies, procedures and technical controls related to protecting mobile devices and data.
Auditors don't show up without an invitation, so before meeting with them, plan to gather your staff and key personnel and review the status of all outstanding projects. Also let them know the purpose of the audit and what areas or functions the auditors are expected to focus on. Common focus areas include the accuracy and completeness of documentation, current risk assessments, review of POAMs (plan of action and milestones), current inventory, and security awareness and training. Auditors expect key staff to know what's going on in the organization. If people don't know that a security measure, like encryption for example, hasn't been implemented, the conflicting stories will be a red flag to the auditor.
What will the auditors want to see when they arrive? Documentation; lots of it! All documentation of security procedures needs to be properly maintained and updated. In the eyes of the auditor, if it isn't in writing, then it didn't happen. All staff should be aware of the existing security policies and processes. If not, then they need proper training. You do have an awareness training program, don't you? The auditor will want to know that your team is aware of organizational policies and security practices.
It's a good idea to show up at the initial auditor meeting with copies of critical documentation, possibly including security plans, risk assessments, policies, procedures, contingency plans and disaster recovery processes. They're going to ask for it; the sooner you provide it to them, the quicker they'll be kept busy reading and digesting it all.
Communication is critical
Communication will be critical throughout the audit process. Stay in touch with the audit team, be cooperative and make sure they have what they need. In spite of the bad rap auditors get, they really are on your side. Daily briefings with the auditors and staff can ensure the process goes smoothly.
To prevent rumors, communicate with your staff as well. Staff members should be notified ahead of time if their assistance will be needed for any aspect of the audit. They should be given enough time to be prepared for interviews.
Handling any findings
No matter how thorough your work has been, there are likely to be some findings by the auditors. Don't panic! Listen thoroughly to what the auditor has to say. Not all findings are legitimate, but may be due to a misunderstanding of the environment, the implementation of controls, and any mitigating factors in the environment. If there's any misunderstanding due to the specifics of your organization, you will have an opportunity to discuss the issues in a professional manner. Supporting documentation may be helpful to demonstrate where the misunderstanding lies. The auditor is not intimately familiar with your environment, so it's quite possible he or she has missed something along the way or drawn an incorrect conclusion. If that's the case, it can be worked out.
If the auditor is correct in his or her finding, however, discuss the effect of the finding in your environment. Demonstrate any mitigating factors that may have been overlooked. Above all, cooperate and be professional; a peaceful discussion will go a long way toward reaching a solution.
While I've almost never seen an audit that didn't produce some sort of findings, it is possible to reduce the effect of findings by being as prepared as possible. Accurate and complete documentation of security controls -- being able to clearly demonstrate that health-related data is well-protected through encryption, access control policies, or other procedures -- is the best way to prepare for and ensure a successful audit.
About the author:
Randy Nash is CISSP with more than 25 years of professional experience in information security, system security, network security, personnel security, and physical security. First certified in ADP security and risk assessment in 1984, he has a long history of work with civilian, military and government entities. Randy also maintains the security website @RISK Online, where he posts projects and articles on a wide variety of security topics.
This was first published in September 2008