HIPAA Audit Prep: Five Key StepsHow to Demonstrate 'Good-Faith Effort' to Comply
When auditors arrive, Chaput says, they'll evaluate both technical and non-technical safeguards. "At one end of the continuum they're going to want evidence and documentation that there's a vibrant and active privacy and security governance committee in place ... And on the other end, they're going to look at very, very specific technical controls and safeguards ..." he predicts.
In an interview with HealthcareInfoSecurity's Howard Anderson (transcript below), Chaput spells out five key HIPAA audit preparation steps:
- Formally establish and charter a privacy and security risk management council.
- Complete an updated evaluation of technical and nontechnical safeguards for protected health information.
- Conduct a timely risk analysis addressing all threats and vulnerabilities.
- Complete an assessment of compliance with the HIPAA privacy rule. That includes demonstrating that all appropriate policies, procedures and training are in place and that business associate agreements address all necessary privacy issues.
- Document and act upon a corrective action plan, based on a risk assessment, to ensure compliance with the HIPAA security and privacy rule as well as the breach notification rule within HIPAA, and also to demonstrate overall risk management.
The Department of Health and Human Services' Office for Civil Rights recently hired KPMG to conduct up to 150 HIPAA compliance audits by the end of 2012 (see: HIPAA Compliance Audits Described). Chaput predicts that auditors will request extensive documentation, including: a risk analysis; privacy and security policies and procedures; sanctions for violating policies; breach notification procedures; training materials and evidence training has actually taken place.
Chaput is president of Clearwater Compliance LLC, a privacy and security consulting firm that helps covered entities and business associates comply with HIPAA and the HITECH Act.
HIPAA Audit HistoryHOWARD ANDERSON: You recently prepared a report on the handful of HIPAA audits that have been conducted in recent years. Tell us a bit about the nature of those audits and please summarize the main lessons that can be learned from those audits in terms of how to prepare for the Office for Civil Rights' upcoming full-scale HIPAA compliance audit program.
BOB CHAPUT: In fact, we looked at the audits that were performed over the course of the last eight years or so, and, additionally, a number of "enforcement actions," including some of the recent resolution agreements and corrective action plans. We also looked at some of the data requests that have come out of breach events or the follow-up. With the caveat that the audits and enforcement actions don't quite yet comprise what we can call a statistically significant sample, just with some caution about drawing conclusions, I'll forge on and offer the following three macro lessons learned.
The first and foremost is, and this is especially when we look at the HIPAA security final rule, compliance is not an IT problem. It's a business risk management problem. And as an example, if you look at some of the resolution agreements that have been signed recently, such as UCLA Health System and Massachusetts General, these documents have not been signed by the "IT guy." They're being signed by the CEOs of the organizations.
Number two ... documentation is critical, everything from policies and procedures, assessments, forms - evidence that demonstrates that you have undertaken a good faith effort to comply. These may even include training materials as well as evidence that training has actually taken place.
And number three is be careful, be aware. What we've seen in the audits that were conducted by OIG [Department of Health and Human Services' Office of Inspector General] is that they're really getting into the underlying NIST [National Institute of Standards and Technology] framework and some of the underlying related documentations within NIST.
... If you look at the [letter of the] law, there's a certain amount of guidance that's provided, but it appears that beyond the [letter of the] law we might be in a situation that we've characterized in our white paper as hyper-vigilance. For instance, if you look in the 2011 OIG report, there's an admonishment to a very, very specific, technical level, that four or five hospitals move from WEP Wireless Protocol to WPA, and in that same citation they talk about the vagaries of Leap, a Cisco protocol. That's getting really into it. Within the context of this third major lesson learned, I would encourage organizations to take a look at a NIST document called Special Publication 800-66. It is a tome, it's 117 pages, but it provides a mapping of each one of the HIPAA security rule standards and implementation specs back over to the NIST framework. Those would be my three major lessons learned.
HIPAA Audit ExpectationsANDERSON: The Office for Civil Rights has hired KPMG to conduct about 150 HIPAA audits by the end of 2012. What's your best guess on what covered entities can expect when it comes to auditors' processes and procedures, and the documentation they'll want to see?
CHAPUT: Many of us have seen by now the KPMG contract synopsis and many of us are now pouring through the actual contract now that it's out there in the public domain. With that said, I would recommend the following: I believe that the auditors are going to look broadly against the NIST framework most likely. They may indeed refer to the ISO 27000 series as a security framework. But what I specifically mean from a broad point of view is a complete set of administrative, physical and technical safeguards. It gets back to a point I made earlier, which is that this is not an IT problem, not a technology problem.
Number two, they're going to look for leadership, the C-Suite, to be engaged from a sincere business risk management perspective. At one end of the continuum, they're going to want evidence and documentation that there's a vibrant and active privacy and security governance committee in place and one with a process. And on the other end, they're going to look at very, very specific technical controls and safeguards. ...
Top 5 Steps to PrepareANDERSON: Finally, your report lists the five most important steps to take to prepare for the looming HIPAA audits. Why don't you outline each of those for us please?
CHAPUT: We've been asked that question for years by organizations that have been proactive, and it's usually in the form of, "How in the heck do I get started?" We're kind of old-fashioned when it comes to that because we believe the ultimate check lists are in the regulations themselves.
Number one, we encourage everyone to formally establish and charter a privacy and risk management council within the HIPAA security final rule, that so called section 164.308A8.
Number two, we recommend that organizations complete an evaluation. Once again, this is a standard within the HIPAA security final rule [that] falls under administrative safeguards and it's part of the compliance for the regulation that calls for organizations to periodically look at their technical and non-technical safeguards as it relates to meeting the requirements of that reg.
Number three: a risk analysis. Put HIPAA aside for a moment. Look at any solid security framework. The foundation step is to complete an analysis of your threats and vulnerabilities. These will be your information assets. That is something that was to have been done by covered entities as far back as April of 2005.
Number four, complete an assessment of your compliance with the HIPAA privacy rule. As a covered entity, you have these obligations as well. We've been focusing on security. I would refer organizations, specifically within the privacy rule, to section 164.530 called Administrative Requirements. You'll read about training, you'll read about policy and procedures, you'll read about your obligations and business associate agreements in place as well.
Then finally, having done the four steps above, you will come out of that with gap analyses and ultimately with corrective action plans. Our fifth recommendation is to document and act upon a corrective action plan for security rule compliance, privacy rule compliance, breach notification compliance and overall risk management.
If you do those things, I believe that the auditors are going to see a demonstration of a good-faith effort to comply with regulations. It's going to go a long way.