The 5 Elements of an Effective HIPAA Audit Preparation Program

by Kerry Shackelford , National Healthcare Practice Lead, Coalfire

The HIPAA compliance audit program (pilot version), which launched last month and is slated to continue through the end of this year, is paving the way for a permanent program. The audits will help organizations improve their compliance with the HIPAA privacy, security and breach notification rules and the OCR plans to share best practices gleaned from the audit process. A recent survey highlights many shortcomings in healthcare organizations’ IT security efforts, including:

  • 26% of organizations have yet to conduct a risk assessment, as mandated by HIPAA.
  • 43% rate their ability to counter information security threats as poor, failing or in need of improvement.
  • 25% say they've experienced an information breach of a size that had to be reported to federal authorities. Some experts say a much larger percentage of organizations have likely experienced breaches, but they may be unaware of the incidents.
    [Source:  ISMG Healthcare Industry Report, 2011]

In this article we’ll review the common gaps and vulnerabilities in IT security programs that we’ve seen in our engagements with clients in the healthcare industry. We recently heard from an MIS Director at a large health plan organization in the Midwest who has recently wrapped up one of the ‘surprise’ audits by the OCR. The Director stressed how important it was for them to have an external audit completed before the OCR auditors arrived. The external audit allowed them to identify gaps in their IT security program, gain insights on preventing breaches, learn about incident response plans, and get tips on working with business associates to prevent breaches.  

The Inventory                                   

Do you know what electronic protected health information or “ePHI” you have and where is resides? 
This is a logical first question for an assessor – what is the scope of my assessment going to cover?  A prepared organization will know the answer to that question. You should have an inventory of your organization’s ePHI.  We sometimes refer to this inventory as the “ePHI environment.”  It should consist of formal documentation that identifies the application systems, databases and data stores, and system components that support or protect the ePHI.  It should also identify third-parties who receive or send ePHI as well as service providers that create, receive, maintain or transmit ePHI on behalf of your organization.

The Risk Analysis

Do you know how your ePHI environment might be susceptible to compromise?
After you know what ePHI you have, how you get it, where you store it, and where it goes, you need to assess the risks that are posed to the ePHI in each of those areas. This is a formal activity, required by Administrative Safeguard # 1 – Risk Analysis.  Many providers and payers have not developed a HIPAA-compliant risk analysis.  To do so, the scope of the risk analysis must cover the ePHI environment, and each point in the flow of ePHI must be analyzed to identify vulnerabilities, threats, and the related risk management activities and controls, if any.  Out of this analysis, your organization can identify where the risks to ePHI are unacceptable and develop the remediation plan to reduce those risks.  I know we think of risk analysis more in terms of “Meaningful Use” at present; however, it is foundational to the HIPAA Security Rule and supports your organization’s decision-making regarding the Rule’s “addressable” implementation specifications.

The Compliance Program Assessment

Are you doing the right things to protect the ePHI and to comply with HIPAA?
The only way to reach the point where worries about compliance subside is to start the journey. Starting involves taking stock of what your organization has done, or is doing, to meet the requirements of HIPAA and the HITECH Act.  This can be a tedious activity. The organization must thoughtfully review each requirement, understand it, document the control activities that address them, assess whether there is evidence that the control activities are performed, identify shortfalls, and add to the remediation plan as necessary.

Technical Testing

Are you performing the tests to confirm that your program elements are effective?
After reviewing the HIPAA compliance program and the design of controls, the organization must perform tests to confirm that the compliance program elements and controls are operating effectively.  The scope of testing should include administrative, physical, and technical safeguards. Though not absolutely required by HIPAA, we recommend that a vulnerability assessment be performed using scanning software. This should focus on both the publicly visible elements of the ePHI environment as well as the internal network.  This provides useful feedback on the effectiveness of some of the controls.  For the other controls, old-fashioned tests of compliance are the only way to see if processes like security provisioning and de-provisioning are operating effectively. 

The Remediation Plan

Are you making progress in remediating the compliance gaps?
No organization is perfect; there will be issues. Your organization must put in place a plan of action to close the gaps. The gaps should be prioritized and progress milestones established such that you can manage them to closure. Those gaps that pose the greatest risk of a breach should be addressed urgently. Within that group, it may be desirable to prioritize those activities that are both easy and inexpensive to deal with as the highest priorities. There  are many ways that an organization can fall short of HIPAA compliance.  We see some common themes from our HIPAA compliance assessments:

  • The ePHI inventory is missing or known to be incomplete.
  • The Risk Analysis is missing entirely, it is at too high of a level, or it is missing support for unimplemented “addressable” implementation specifications.
  • HIPAA Security policies and/or procedures are not documented.
  • Unimplemented “Addressable” implementation specifications are not documented.
  • Unencrypted drives and media with ePHI are not adequately secured.
  • Excessive access to ePHI.

Be ready…get your house in order
There’s no doubt that having your ‘ducks in a row’ can help make the potential of a government audit less painful. Compliance, best-practice frameworks, or internal policies and standards are not one-time processes. Automating these processes with leading-edge IT GRC toolkits establishes a foundation for ongoing compliance and can ensure that your processes, information, reputation and bottom line are protected and enhanced. And with the increasing trends of moving data to the cloud with its associated security concerns, the need for employee training programs to help alleviate data breaches, and the security issues surrounding mobile device usage in the workplace – all of these risks should, and must, be addressed now.