COMPLIANCE COUNSELOR
HIPAA privacy regulations get some teeth: Be prepared
Randy Nash, Contributor
09.17.2008
===================================================================

While I've almost never seen an audit that didn't produce some sort
of findings, it is possible to reduce the effect of findings by being
as prepared as possible.

Watch out folks, it's finally happened. The U.S. Department of Health
and Human Services (HHS) has levied the first penalties against a
healthcare agency. Providence Health & Services, based in Seattle,
has agreed to a six-figure settlement following HIPAA security and
privacy violations related to the loss of 386,000 patients' personal
health information. Before mid-July, settlements had previously been
resolved by demanding organizations to resolve their privacy and
security problems. It's no longer sufficient, however, to tell the
auditors, "we'll resolve that problem."

The HHS settlement agreement states that disks containing
individuals' HIPAA-protected health records were taken from
employees' cars on at least five occasions in 2005 and 2006. The
agreement also mandates that Providence Health and Services use
encryption and other data protection policies to prevent the opening
of authorized files. Providence must also train employees on security
processes and issue compliance reports to HHS for three years.

This news should eliminate the false perception among healthcare
organizations that HIPAA compliance is optional. Now that fines and
monetary penalties are on the table, it's time for enterprises to
shore up their HIPAA compliance programs, and that means being
prepared for that next audit. Here are several steps enterprises can
take to ensure a successful HIPAA audit.

What are the trends?
A quick review of HHS compliance and enforcement data shows that the
top five HIPAA compliance and enforcement issues during the past few
years remain virtually unchanged. Among others, common problems
include impermissible uses and disclosures, safeguards, access
control. These issues are recurring due to the fact that they are the
core of a successful HIPAA compliance program. They involve controls
that range across the full spectrum of technical, operational and
management controls. Failures of these controls may lead to
inappropriate disclosure and thus bring negative attention to the
organization. Unfortunately, while the overall security posture is
stagnant across the healthcare industry, the number of complaints
filed against an organization due to the loss or exposure of
sensitive information continues to rise. Such a scenario will
generally lead to a more focused audit of that particular
organization as trends develop and become recognized across the
industry. For example, as more laptops have been lost and/or stolen,
audits have focused on the policies, procedures and technical
controls related to protecting mobile devices and data.

Pre-audit meeting
Auditors don't show up without an invitation, so before meeting with
them, plan to gather your staff and key personnel and review the
status of all outstanding projects. Also let them know the purpose of
the audit and what areas or functions the auditors are expected to
focus on. Common focus areas include the accuracy and completeness of
documentation, current risk assessments, review of POAMs (plan of
action and milestones), current inventory, and security awareness and
training. Auditors expect key staff to know what's going on in the
organization. If people don't know that a security measure, like
encryption for example, hasn't been implemented, the conflicting
stories will be a red flag to the auditor.

Document everything
What will the auditors want to see when they arrive? Documentation;
lots of it! All documentation of security procedures needs to be
properly maintained and updated. In the eyes of the auditor, if it
isn't in writing, then it didn't happen. All staff should be aware of
the existing security policies and processes. If not, then they need
proper training. You do have an awareness training program, don't
you? The auditor will want to know that your team is aware of
organizational policies and security practices.

It's a good idea to show up at the initial auditor meeting with
copies of critical documentation, possibly including security plans,
risk assessments, policies, procedures, contingency plans and
disaster recovery processes. They're going to ask for it; the sooner
you provide it to them, the quicker they'll be kept busy reading and
digesting it all.

Communication is critical
Communication will be critical throughout the audit process. Stay in
touch with the audit team, be cooperative and make sure they have
what they need. In spite of the bad rap auditors get, they really are
on your side. Daily briefings with the auditors and staff can ensure
the process goes smoothly.

To prevent rumors, communicate with your staff as well. Staff members
should be notified ahead of time if their assistance will be needed
for any aspect of the audit. They should be given enough time to be
prepared for interviews.

Handling any findings
No matter how thorough your work has been, there are likely to be
some findings by the auditors. Don't panic! Listen thoroughly to what
the auditor has to say. Not all findings are legitimate, but may be
due to a misunderstanding of the environment, the implementation of
controls, and any mitigating factors in the environment. If there's
any misunderstanding due to the specifics of your organization, you
will have an opportunity to discuss the issues in a professional
manner. Supporting documentation may be helpful to demonstrate where
the misunderstanding lies. The auditor is not intimately familiar
with your environment, so it's quite possible he or she has missed
something along the way or drawn an incorrect conclusion. If that's
the case, it can be worked out.

If the auditor is correct in his or her finding, however, discuss the
effect of the finding in your environment. Demonstrate any mitigating
factors that may have been overlooked. Above all, cooperate and be
professional; a peaceful discussion will go a long way toward
reaching a solution.

Conclusion
While I've almost never seen an audit that didn't produce some sort
of findings, it is possible to reduce the effect of findings by being
as prepared as possible. Accurate and complete documentation of
security controls -- being able to clearly demonstrate that health-
related data is well-protected through encryption, access control
policies, or other procedures -- is the best way to prepare for and
ensure a successful audit.