HIPAA Audit Riles Health IT

Medical industry on edge after feds examine hospital's security procedures

An audit of Atlantas Piedmont Hospital that was quietly initiated by the U.S. Department of Health and Human Services in March is raising concerns in the health care industry about the prospect of further enforcement actions related to the federal HIPAA laws data security requirements.

The audit was the first of its kind since the Health Insurance Portability and Accountability Acts security rules went into effect in April 2005, supplementing data privacy mandates that were already in place.

Neither Piedmont nor HHS has commented about the audit, and few details have been disclosed publicly. But an HHS document obtained by Computerworld shows that Piedmont officials were presented with a list of 42 items that the agency wanted information on.

Among them were the hospitals policies and procedures on 24 security-related issues, including physical and logical access to systems and data, Internet usage, violations of internal security rules by employees, and logging of system activities. The 18 other items requested included IT and data security organizational charts and lists of the hospitals systems, software and employees.

Sending Shock Waves

The mere fact that an audit of HIPAA security compliance was conducted for the first time has many in the health care industry preparing for more enforcement actions, according to Barry Runyon, an analyst at Gartner Inc. I dont think Piedmont was an anomaly, he said. My sense is that there is going to be more feet on the street from HHS going on unannounced audits.

The security rules require organizations that handle health data to implement measures for controlling access to confidential medical information and protecting it against compromise and misuse.

Randy Yates, director of security at Memorial Hermann Healthcare System in Houston, said the Piedmont audit contributed in a big way to the approval of a $1.3 million budget item for data encryption during the medical service providers next fiscal year.

Everybody is aware of the Piedmont audit notification, Yates said. He added that after hearing about it, we did our own gap analysis and found out where we are at highest risk for noncompliance, and we have since taken steps to shore up [those areas].

As part of its efforts to bolster security, Memorial Hermann is also rolling out access management tools developed by Courion Corp. in Framingham, Mass. Yates said the software is expected to help the health care system set automated policies for controlling access to protected medical data by its 19,000 employees.

Also driving the increased focus on HIPAA compliance at Memorial Hermann is a directive issued last December by the federal Centers for Medicare & Medicaid Services (CMS), Yates said. The directive ordered entities that handle patient health information to implement stronger authentication mechanisms for limiting access to the data.

The fact that the audit appears to have been conducted by the HHS Office of the Inspector General (OIG) is puzzling, said Lisa Gallagher, director of privacy and security at the Healthcare Information and Management Systems Society in Chicago. She said most people in the health care industry had assumed that any security-related enforcement actions would be taken by the CMS, which administers the HIPAA security rules.

Nobody really knows why the OIG did it or whats going to be their criteria for selecting the next one, Gallagher said. Theres a lot of buzz in the industry.

Chris Apgar, president of Apgar & Associates LLC, a Portland, Ore.-based consulting firm, said he thinks HHS decided to conduct the audit at least partly because it was getting political and media pressure to enforce the law. Apgar expects to see more audits in the future. But he said theyre unlikely to occur very frequently, because the HHS simply doesnt have the required staffing resources.

Drawing Data

According to an HHS ddocument, the list of 42 items that the agency asked Piedmont Hospital to provide included the following:
POLICIES AND PROCEDURES FOR: OTHER REQUESTED ITEMS:

- Establishing and terminating user access to systems containing electronic medical records. - Recording and examining user activities within such systems.

- Dealing with violations of internal security rules by employees.

- Managing the installation of software patches on systems.

- A list of all systems containing protected health data. - A list of all systems administrators and end users who have access to the data.

- Organizational charts with the names and titles of key IT and information security staffers.

- A list of all antivirus software installed on systems.

Despite the industry buzz cited by Gallagher, Apgar said hes skeptical that the audit at Piedmont will spur many health care organizations to step up their efforts to comply with the security mandates.

Until at least several audits have been completed and the industry sees action taken to enforce the HIPAA security rules, I think serious attention to compliance will not be a major focus, he said.

Officials at Piedmont didnt respond to a request for comment about the audit. An HHS spokesman said only that as a matter of general policy, the agency doesnt comment about ongoing audits.

Copyright © 2007 IDG Communications, Inc.

Download: EMM vendor comparison chart 2019
  
Shop Tech Products at Amazon