HIPAA audit at hospital riles health care IT
Industry on edge after feds examine data security procedures at Atlanta facility
Computerworld - An audit of Atlanta's Piedmont Hospital that was initiated by the U.S. Department of Health and Human Services in March is raising concerns in the health care industry about the prospect of more enforcement actions related to the data security requirements of the federal HIPAA legislation.
The audit was the first of its kind since the Health Insurance Portability and Accountability Act's security rules went into effect in April 2005, joining data privacy mandates that were already in place. The security rules require organizations that handle electronic health data to implement measures for controlling access to confidential medical information and protecting it against compromise and misuse.
Neither Piedmont nor the HHS has confirmed that the audit was launched, and few details about it have been disclosed publicly. But an HHS document obtained by Computerworld shows that Piedmont officials were presented with a list of 42 items that the agency wanted information on.
Among them were the hospital's policies and procedures on 24 security-related issues, including physical and logical access to systems and data, Internet usage, violations of security rules by employees, and logging and recording of system activities. The document also requested items such as IT and data security organizational charts and lists of the hospital's systems, software and employees, including new hires and terminated workers.
The mere fact that an audit of HIPAA security compliance was conducted for the first time has many in the health care industry preparing for more enforcement actions, according to Barry Runyon, an analyst at Gartner Inc. "I don't think Piedmont was an anomaly," he said. "My sense is that there is going to be more feet on the street from HHS going on unannounced audits."
Randy Yates, director of security at Memorial Hermann Healthcare System in Houston, said the Piedmont audit contributed in a big way to the approval of a $1.3 million budget item for data encryption during the health care provider's next fiscal year.
"Everybody is aware of the Piedmont audit notification," Yates said. He added that after hearing about it, "we did our own gap analysis and found out where we are at highest risk for noncompliance, and we have since taken steps to shore up [those areas]."
As part of its efforts to bolster security, Memorial Hermann is also rolling out access management tools developed by Courion Corp. in Framingham, Mass. Yates said the software is expected to help the health care system automate policies for controlling access to protected medical information by its 19,000 employees.
Also driving the increased focus on HIPAA compliance at Memorial Hermann is a directive issued last December by the federal Centers for Medicare & Medicaid Services (CMS), Yates said. The directive ordered entities that handle patient health information to implement stronger authentication mechanisms for controlling access to the data.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Going Paperless? Here's What You Need to Think About As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- The Big Data Opportunity for HR and Finance If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Legal White Papers | Webcasts