July 7 2008
Don’t Get Spooked
By Selena Chavis
For The Record
Vol. 20 No. 14 P. 14
Despite talk to the contrary, HHS says it’s not pulling unannounced HIPAA security audits out of its hat. Still, industry experts say to expect a renewed emphasis on the 2005 regulation.
Surprise audits? Unannounced reviews? Predictions of a more aggressive effort by the Centers for Medicare & Medicaid Services (CMS), the Office for Civil Rights (OCR), and the Office of Inspector General (OIG) to enforce compliance with HIPAA security and privacy rules abound.
Lately, the media has been abuzz with talk about new tactics that are being rolled out by Health and Human Services (HHS) to ensure HIPAA compliance from healthcare organizations—and the industry is taking notice.
“The government often seems to give industry a free pass for a year or so when new regulations are being introduced,” says David Harlow, principal with The Harlow Group LLC, a Massachusetts-based healthcare law and consulting firm. “There have been surveys done that show that many healthcare organizations have put this on the back burner … because there is a perception that there are no real teeth to HIPAA.”
In April, the HIPAA implementation cycle marked five years in the making, and out of thousands of complaints filed with the OCR, no covered entities had been issued a civil monetary penalty as HHS continues to take a stance of issuing corrective action plans and opportunities for voluntary compliance.
“Our mission is to help educate the industry,” says Lorraine Doo, HHS senior policy advisor. “I don’t mean to make light of it. … We have just not found merit in any case to [levy penalties].”
Cheryl Wahl, chief compliance officer with Ohio-based University Hospitals, believes that educating the industry is the right approach because most healthcare organizations aim to comply. However, compliance questions are still raised on a daily basis.
“We hear requests on a pretty consistent basis on how to carry out the requirements. All of the issues are not clearly resolved,” she says. “The enforcement has a place within the organization and outside the organization, but to really create a culture of concern through education is really the way to bring the rules into practice.”
Fears of becoming tomorrow’s news headline or marring patient confidence will ensure that organizations are doing their due diligence, says Alan Ogilbee, information security officer at University Hospitals. “It’s really the public, the patients—it’s the trust they have in the system,” he says. “At this organization, we treat HIPAA very seriously not only because it’s a regulation but because of [consumer confidence].”
That may not be enough, though, says Wes Rishel, vice president and distinguished analyst with Gartner research group. As security issues over patient privacy continue to make the morning news and remain a focal point of public attitude and trust toward healthcare, he says healthcare organizations can expect more scrutiny by government bodies.
Alongside scrutiny on the government level, it is expected that quality industry watchdogs such as The Joint Commission will follow suit. In fact, Rishel points out that beginning this year, Joint Commission inspections are not scheduled in advance. The organization also plans to ramp up accreditation elements based on IT, including IT security.
“We are saying that beyond the specifics of [recent initiatives], healthcare institutions should be prepared for more audits,” he says. “We think the reasonable response of healthcare organizations is not to panic, but in an orderly way, step up initiatives in this area.”
What HHS Says
Although widely reported that an HHS initiative contracted to PricewaterhouseCoopers is underway, which entails surprise audits at healthcare organizations where the CMS has received previous security complaints, Doo says there is no such element of surprise to the effort.
“They are called compliance reviews, and they are part of what we are authorized to do as part of HIPAA,” she says, adding that organizations are given about one month’s advance notice by letter regarding the pending review.
The contract with PricewaterhouseCoopers was established to assess a fixed number of healthcare organizations that have had previous security complaints filed with the CMS.
Pointing out that the focal point of the reviews will center on remote access, Doo notes that “we really want to look at what people are doing from a policy and procedure perspective because that’s where they are going to have a lot of vulnerability.”
With three reviews under its belt as of mid-May, the plan is to complete 14 by the end of the year, according to Doo. The results of the findings will be published on the CMS’ Web site, and organizations reviewed as part of the effort will remain confidential unless major lapses are uncovered.
“This has been within our authority since the rule went into effect in 2005. We’re just trying to execute the plan,” Doo says. “This is not about scaring people. We are not out to catch people doing things wrong; we are out to help them find their vulnerabilities.”
Rishel notes that this contracted effort was initiated with the purpose of determining whether there should be more focus on auditing. It is his belief that there will be enough concern to warrant future action.
“Organizations have good, solid business reasons to do better than they do now on security,” he says. “It’s the same advice we give them every year. It just has a little more stick this year because of the audits.”
Ogilbee says University Hospitals started a significant compliance campaign when HIPAA was introduced in 2005 and has continued that initiative, but plans are in place to “take a step back and do a complete reassessment” this year.
The OIG Factor
Harlow says the concern about “surprise audits” can be traced to the widely reported OIG audit of Atlanta’s Piedmont Hospital in February 2007. As part of its investigation, the OIG requested 42 specific categories of documents relating to privacy and security. “That served as a wake-up call for the industry,” he notes.
Rishel points out there are two primary entities that deal with complaints filed over HIPAA privacy and security issues—the CMS and the OCR. “If you file a complaint, it will go to one of those two offices,” he says, adding that these two bodies have specific regulations to adhere to in their enforcement of the rules.
Then there’s the OIG, which has a broader charter to audit any agency that bills Medicaid or Medicare. In the past, the OIG has focused its efforts primarily on fraud and program abuse but has since chosen to use its audit authority to review hospital security as well. In fact, the 2008 OIG Work Plan reads, “We will review CMS’s oversight, implementation, and enforcement of the regulation implementing security standards required under sections 261 and 262 of HIPAA (referred to as the HIPAA Security Rule). Specifically, we will determine whether CMS has implemented controls to reasonably ensure that the HIPAA Security Rule achieves its intended results.”
While not officially confirmed, Rishel suggests that the OIG seems poised to conduct similar security audits such as that of Piedmont Hospital in the future. Currently, the known OIG audits, along with the 10 to 20 hospitals that will be reviewed under the PricewaterhouseCoopers contract, represent only a small fraction of the covered entities subject to HIPAA security regulations.
Industry experts expect that the reviews will support the need for more proactive auditing, reinforcing the OIG’s current course, and could potentially result in the establishment of a separate process for more aggressive HIPAA security auditing.
Taking preventive measures is the right step, says Harlow, who suggests using internal compliance initiatives and external resources. “The best approach is to have an outside group conduct a compliance audit,” he says.
At University Hospitals, Ogilbee says regular risk assessments are conducted, and the organization creates a yearly plan for security activities “to improve its security posture.” Besides internal compliance initiatives, Ogilbee says University Hospitals has identified a need to use third-party consultants. “There are certain aspects of security that are pretty technical in nature,” he explains. “You want to bring in the experts.”
Harlow notes that many healthcare organizations are making efforts to conduct internal compliance assessments but are not looking for outside expert advice. “Many have implemented internal compliance departments rather than using outside entities,” he says. “That can work only if the department is sufficiently [unbiased].”
Spot checks are one of the best methods for monitoring compliance, according to Harlow, who suggests targeting one HIPAA security or privacy issue and auditing the compliance of several departments at one time.
To measure the effectiveness of the organization’s IT security practices, Ogilbee turns to the Control Objectives for Information and Related Technology (CobiT) as a “useful measure to put a number or value next to a security program.” Created by the Information Systems Audit and Control Association and the IT Governance Institute, CobiT provides a set of generally accepted measures, indicators, processes, and best practices to maximize the benefits of technology.
Remote access is expected to become a focal point of auditing and reviews, says Harlow, noting that while off-site access to patient information is becoming increasingly important to a mobile workforce, it creates the potential for security hazards.
“[Policies and procedures] regarding remote access have to be addressed comprehensively,” he explains, pointing out that effective security approaches toward newer and increasingly popular forms of technology such as software-as-a-service will also raise concerns. “The challenge with new technology and new rules is that there is opportunity for confusion,” he says. “There’s a lot of education that needs to be done.”
— Selena Chavis is a Florida-based freelance journalist whose writing appears regularly in various trade and consumer publications covering everything from corporate and managerial topics to healthcare and travel.
Tips From Gartner
In the recently published “Gartner’s Top 12 Actions for the Healthcare CIO, 2008,” analysts specifically cited security plans as a key strategy for preparing for increased scrutiny of HIPAA privacy and security compliance. Below are the details from Action 5 and Action 9 of the report.
2.5 Action 5: Be Prepared as Quality Watchdogs Turn to IT
In the past, many healthcare CIOs [chief information officers] have paid relatively little attention to the activities of healthcare quality watchdogs such as The Joint Commission in the United States and the Healthcare Commission in England. However, the times are changing. IT increasingly affects the clinical and administrative domains these bodies monitor, and the availability of more electronic information, in turn, stimulates watchdog interest in more extensive quality reporting. Features of The Joint Commission’s “National Patient Safety Goals” will require significant healthcare IT support if they are to be achieved (for example, patient identification for medication administration or critical value reporting), and new information management and privacy/security standards will evolve to IT responsibility as medical records become electronic.
If you aren’t specifically aware of what the health quality watchdogs in your country are asking, get up to speed immediately. Their bite is worse than their bark, and you never want to be caught off guard. Be part of the team that anticipates their unannounced visits and future quality measures.
• CIOs and chief medical information officers should ensure the organization anticipates the current and next likely core measures and reporting needs in your CPR [computer-based patient record] system design, knowledge life cycle management, and performance reporting.
• Be mindful that many aspects of compliance still remain the purview of other executives and managers. The CIO can’t become the dumping ground for others’ issues just because they involve the word “information.”
• Work with watchdogs in getting the data they need. This is a second justification for investment in BI [business intelligence] and reporting tools. Get data analysts to join forces with compliance champions to generate dashboards, reports, and corrective actions well ahead of reporting deadlines.
• Investigate security governance, risk, and compliance management aspects of the organization’s requirements for privacy protection.
— Analysis by Jonathan Edwards and Thomas Handler, MD
2.9 Action 9: Dust Off the CDO’s Security Plan
Chief development officers (CDOs) have spent significant amounts of their IT budgets on “keeping the bad guys out” by deploying firewalls, intrusion detection, antivirus/spyware protection, patch management, content filtering, and so on. More recently, they have begun to focus on “letting the good guys in” with identity and access management products such as single sign-on, user provisioning, and strong authentication. However, these piecemeal privacy and security controls may not add up to an effective security plan. CDOs are often unsure how safe or compliant they are and how these complex products work together. CDOs should dust off the security plan and bring it up-to-date in anticipation of increased HIPAA audit and enforcement activity in 2008.
• Revisit the enterprise security plan to ensure that current security requirements and corresponding controls make sense.
• Get a better understanding of who is getting access—with more rigorous authentication and vetting of rights and privileges—before expediting access with single sign-on, remote access, and portals.
• Investigate network access control strategies that help bring together various point solutions for users and device access to the enterprise—particularly wireless user devices and medical devices.
• Track and monitor user access and behavior patterns—in real time and retrospectively—and pilot network behavior and log management products to that end.
• Look into governance, risk, and compliance management tools to help the organization determine its compliance.
— Analysis by Barry Runyon