Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Fair Labor Standards Act: Court Ruling Makes Me Wonder...When/Do IT Folks Get Paid For Overtime? | Main | PII for 60,000 Lost In Yet Another Incident: Know How To Address The Risks Involved With Entrusting PII To Business Partners »

The First Ever HIPAA Audit: Where's The Report? Does It Have Beef?

Gosh, I just had a flashback to the "Where's the Beef" commercial from years ago... :)

The U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule went into effect in April, 2001, and gave covered entities (CEs) two years to get into compliance. The HIPAA Security Rule went into effect in April 2003 and CEs had until April 2005 to get into compliance.

Two years to get into compliance! That was a very generous lead time.

However, the U.S. Department of Health and Human Services (HHS) never performed a compliance audit...until recently.

In April of this year I blogged about how Atlanta's Piedmont Hospital was told it would be audited for HIPAA compliance.

Just a couple of days ago I blogged about "HIPAA & 4 Lessons From an Insider Threat Example: Former Healthcare IT Manager Hacks Into System and Deletes PHI"

And even though it took a little while to kick into my brain, today I was reviewing some health clinic security information and I thought about Atlanta's Piedmont Hospital...what ever happened with that HIPAA audit?

So, off to the HHS site I went! They would surely have some information on it, wouldn't they?

Hmm...where is it on the HHS Office of Inspector General site?

The HHS OIG is the office that is/was performing the audit. It should be there when it is complete. At least information about it. It started sometime between April and June, so maybe the audit is not yet completed.

Well, I guess I'll check elsewhere and see what speculation there may be.

Computerworld published an article about it in June, "HIPAA audit at hospital riles health care IT."

Yes, the article is completely speculative with regard to the audit results, but an interesting read.

"Neither Piedmont nor the HHS has confirmed that the audit was launched, and few details about it have been disclosed publicly. But an HHS document obtained by Computerworld shows that Piedmont officials were presented with a list of 42 items that the agency wanted information on.

Among them were the hospital's policies and procedures on 24 security-related issues, including physical and logical access to systems and data, Internet usage, violations of security rules by employees, and logging and recording of system activities. The document also requested items such as IT and data security organizational charts and lists of the hospital's systems, software and employees, including new hires and terminated workers."

Well, I would hope that at least this many items are examined by the auditors! I used to be an internal IT auditor practitioner, and still maintain my CISA certification, and considering the scope of the HIPAA Security Rule I would anticipate the auditors would have asked for even more items to examine than 42. One HIPAA compliance audit I did a few years ago for a healthcare insurer involved reviewing literally hundreds of documents/items.

The HIPAA Security Rule and Privacy Rule require CEs to implement controls within a wide spectrum of areas to address the risks unique to each of their organizations. If you don't want to read the regulatory text, read the book I co-authored with Kevin Beaver, "The Practical Guide to HIPAA Privacy and Security Compliance."

You will see that the scope of HIPAA compliance requirements are wide, but are basically good, practical controls organizations should have in place any way to protect personally identifiable information (PII), and the HIPAA subset of PII defined as protected health information (PHI).

At last compliance activities have begun! The next litmus test will be to see what the audit report findings are, the associated recommendations, and any penalties and/or fines applied.

Tags:                              
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on September 12, 2007 7:32 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/516

Comments

Not sure how much the writer knows about the process of a review of this type but the audit report would and will never be released for his or our reading pleasure due to the sensitivity of the issues/findings.

Posted by: chuck | November 20, 2007 12:33 PM

Thanks for your note, Chuck.

It is true that if the details of an audit will create exposure to the organization that was reviewed, the full audit report and details will not be provided for public consumption. However, there is usually an Executive Summary provided to the public about the audits, or at the least a notice that the audit report was completed with a general statement about the results that do not include details.

For more information and to see some of the reports and notices, see the OIG site at http://oig.hhs.gov/reports.html

Posted by: Rebecca | November 20, 2007 1:08 PM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.