Many healthcare organizations breathed a collective sigh of relief when the Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) finally made their HIPAA audit protocol publicly available this past June. Many of Redspin’s clients and prospective clients asked us for guidance during the 7 or 8 months prior to the protocol publication. We advised all who asked....

1. Why Preparing for an OCR HIPAA Audit May
Lead to a False Sense of Security
Many healthcare organizations breathed a collective sigh of relief when the Office of Civil Rights (OCR) under the
Department of Health and Human Services (HHS) finally made their HIPAA audit protocol publicly available this past
June. It can be accessed here. As a refresher, Section 13411 of the 2009 HITECH Act required that HHS “provide for
periodic audits to ensure that covered entities and business associates that are subject to the requirements of (HITECH
and HIPAA), comply with such requirements.” The protocol was developed under OCR collaboration with “Big 4”
consulting firm KPMG.
Uncertainty persisted since late last year when it was announced that OCR/KPMG had completed work on the audit
protocols. Indeed, even the first 20 audits were conducted before the protocol was made public. Not knowing what they
might be audited for had raised anxiety levels among some covered entities. Many of Redspin’s clients and prospective
clients asked us for guidance during the 7 or 8 months prior to the protocol publication. We advised all who asked that if
they wanted an early look at the HIPAA security audit protocol, they need only refer back to the HIPAA Security Rule
itself. We posted that the federal government, even with KPMG’s potential bias (since they are also conducting the first 115
audits), could not stray very far from a law that had been on the books since 2005.
We were right. Each of the 77 audit areas of performance evaluation that relate to IT security cite Security Rule section
numbers and use the exact Security Rule language to describe “Established Performance Criteria.” Years ago, Redspin
mapped our own HIPAA Risk Analysis and Security Assessment to the Security Rule so we had a good idea of what to look
for in the OCR/KPMG document. (A copy of our crosswalk map is freely downloadable click here to download).
However, there is one very important difference between Redspin’s scope of work and any audit protocol. We’ve always
maintained that the HIPAA Security Rule informs our work but we also consider the Rule and any protocols derived
thereunder a subset of the work we do. What the HIPAA Security Rule and the OCR audit protocols fail to dictate is the
comprehensive security testing that is also required to truly be in compliance.
Redspin’s approach has been instrumental in our success in helping nearly 100 hospitals meet their security requirements
under the Stage 1 EHR “Meaningful Use” Incentive Program. Core Measure 14 of Meaningful Use mandates that
hospitals conduct a security Risk Analysis in accordance with the requirements under 45 CFR 164.308(a)(1), implement
security updates as necessary, and correct security deficiencies identified as part of its risk management process.
Thus, while most people generally associate HIPAA with privacy, the migration to electronic health records has placed the
emphasis squarely on security. As Howard Schultz, former White House Cybersecurity Czar has said, “Without security,
there is no privacy.”
This shift is vitally important to understand. Most hospitals’ IT staff members do not have the expertise or tools needed to
accurately perform a Core Measure 14 Risk Analysis. HIPAA consultants, particularly those who have been in the industry
for many years, invariably understand the privacy regulations far better than IT security. Even the auditors empowered by
OCR are likely to emphasize privacy and notification policy and procedures while missing the larger threat to safeguarding
protected health information (PHI) that may manifest as an erroneous firewall configuration, open port, or default
password on a critical system.

2. Our point is that comprehensive security testing in healthcare organizations is an absolute must. Today’s hospital IT
infrastructures are an order of magnitude more complex than they were just two years ago. Electronic health records have
raised the stakes for data breach; a simple oversight, an insecure password, a theft of a single portable electronic device –
can now impact thousands if not millions of patients and result in a major financial and reputational hit to a healthcare
provider.
The HIPAA Security Rule and the OCR/KPMG HIPAA audit protocol provide compliance guidance but ultimately they are
just words on paper. Truly safeguarding protected health information means digging in technically with security experts
(internally or with outside consultants such as Redspin). IT security itself is a process, not an audit. It involves testing your
infrastructure, your systems, your applications, your employees, and your business associates. It is about finding
vulnerabilities, implementing remediation plans, validating that the appropriate fixes have been made, and building
periodic, repeat IT security testing into your overall risk management program.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM