The First Ever HIPAA Audit: Where’s The Report? Does It Have Beef?

Gosh, I just had a flashback to the “Where’s the Beef” commercial from years ago… 🙂
The U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule went into effect in April, 2001, and gave covered entities (CEs) two years to get into compliance. The HIPAA Security Rule went into effect in April 2003 and CEs had until April 2005 to get into compliance.

Two years to get into compliance! That was a very generous lead time.
However, the U.S. Department of Health and Human Services (HHS) never performed a compliance audit…until recently.
In April of this year I blogged about how Atlanta’s Piedmont Hospital was told it would be audited for HIPAA compliance.
Just a couple of days ago I blogged about “HIPAA & 4 Lessons From an Insider Threat Example: Former Healthcare IT Manager Hacks Into System and Deletes PHI
And even though it took a little while to kick into my brain, today I was reviewing some health clinic security information and I thought about Atlanta’s Piedmont Hospital…what ever happened with that HIPAA audit?
So, off to the HHS site I went! They would surely have some information on it, wouldn’t they?
Hmm…where is it on the HHS Office of Inspector General site?
The HHS OIG is the office that is/was performing the audit. It should be there when it is complete. At least information about it. It started sometime between April and June, so maybe the audit is not yet completed.
Well, I guess I’ll check elsewhere and see what speculation there may be.
Computerworld published an article about it in June, “HIPAA audit at hospital riles health care IT.”
Yes, the article is completely speculative with regard to the audit results, but an interesting read.

“Neither Piedmont nor the HHS has confirmed that the audit was launched, and few details about it have been disclosed publicly. But an HHS document obtained by Computerworld shows that Piedmont officials were presented with a list of 42 items that the agency wanted information on.
Among them were the hospital’s policies and procedures on 24 security-related issues, including physical and logical access to systems and data, Internet usage, violations of security rules by employees, and logging and recording of system activities. The document also requested items such as IT and data security organizational charts and lists of the hospital’s systems, software and employees, including new hires and terminated workers.”

Well, I would hope that at least this many items are examined by the auditors! I used to be an internal IT auditor practitioner, and still maintain my CISA certification, and considering the scope of the HIPAA Security Rule I would anticipate the auditors would have asked for even more items to examine than 42. One HIPAA compliance audit I did a few years ago for a healthcare insurer involved reviewing literally hundreds of documents/items.
The HIPAA Security Rule and Privacy Rule require CEs to implement controls within a wide spectrum of areas to address the risks unique to each of their organizations. If you don’t want to read the regulatory text, read the book I co-authored with Kevin Beaver, “The Practical Guide to HIPAA Privacy and Security Compliance.”
You will see that the scope of HIPAA compliance requirements are wide, but are basically good, practical controls organizations should have in place any way to protect personally identifiable information (PII), and the HIPAA subset of PII defined as protected health information (PHI).
At last compliance activities have begun! The next litmus test will be to see what the audit report findings are, the associated recommendations, and any penalties and/or fines applied.

Tags: , , , , , , , , , , , , , ,

Leave a Reply