HIPAA Audit Riles Health IT

Computerworld - An audit of Atlantas Piedmont Hospital that was quietly initiated by the U.S. Department of Health and Human Services in March is raising concerns in the health care industry about the prospect of further enforcement actions related to the federal HIPAA laws data security requirements.

The audit was the first of its kind since the Health Insurance Portability and Accountability Acts security rules went into effect in April 2005, supplementing data privacy mandates that were already in place.

Neither Piedmont nor HHS has commented about the audit, and few details have been disclosed publicly. But an HHS document obtained by Computerworld shows that Piedmont officials were presented with a list of 42 items that the agency wanted information on.

Among them were the hospitals policies and procedures on 24 security-related issues, including physical and logical access to systems and data, Internet usage, violations of internal security rules by employees, and logging of system activities. The 18 other items requested included IT and data security organizational charts and lists of the hospitals systems, software and employees.

Sending Shock Waves

The mere fact that an audit of HIPAA security compliance was conducted for the first time has many in the health care industry preparing for more enforcement actions, according to Barry Runyon, an analyst at Gartner Inc. I dont think Piedmont was an anomaly, he said. My sense is that there is going to be more feet on the street from HHS going on unannounced audits.

The security rules require organizations that handle health data to implement measures for controlling access to confidential medical information and protecting it against compromise and misuse.

Randy Yates, director of security at Memorial Hermann Healthcare System in Houston, said the Piedmont audit contributed in a big way to the approval of a $1.3 million budget item for data encryption during the medical service providers next fiscal year.

Everybody is aware of the Piedmont audit notification, Yates said. He added that after hearing about it, we did our own gap analysis and found out where we are at highest risk for noncompliance, and we have since taken steps to shore up [those areas].

As part of its efforts to bolster security, Memorial Hermann is also rolling out access management tools developed by Courion Corp. in Framingham, Mass. Yates said the software is expected to help the health care system set automated policies for controlling access to protected medical data by its 19,000 employees.

Also driving the increased focus on HIPAA compliance at Memorial Hermann is a directive issued last December by the federal Centers for Medicare & Medicaid Services (CMS), Yates said. The directive ordered entities that handle patient health information to implement stronger authentication mechanisms for limiting access to the data.