HIPAA Audit Update: Susan McAndrew
Susan McAndrew, deputy director for privacy in the HHS Office for Civil Rights, is hopeful that federal HIPAA privacy and security rule compliance audits of healthcare organizations and their business associates will start later this year.

In an exclusive interview, McAndrew says the timing of the start of the HITECH Act's mandated audit program "will really depend on the ultimate selection of what model we use" and how fast that model can be implemented.

McAndrew also said:

The audits likely will be outsourced and not conducted by OCR staff.
HIPAA security audits will check that organizations have completed a risk assessment and implemented appropriate administrative, technical and physical safeguards.
Audits for compliance with the HIPAA privacy rule will focus on organizations' efforts to uphold individuals' rights, such as their right to access their own medical records.

McAndrew made her comments in an interview at the conference: "Safeguarding Health Information: Building Assurance through HIPAA Security," sponsored by OCR and National Institute of Standards and Technology.

HOWARD ANDERSON: This is Howard Anderson, managing editor at HealthcareInfoSecurity.com, and we are talking to Susan McAndrew, deputy director for privacy at HHS Office of Civil Rights. Thanks a lot for taking some time today.

SUSAN McANDREW: It's a pleasure.

ANDERSON: You mentioned in your presentation this morning that you have been hiring additional investigators at regional offices to start up enforcement of the HIPAA privacy and security rules. Can you tell us about how many investigators have been hired and when their work begins?

McANDREW: Well actually it wasn't so much that we were hiring, although we are doing some of that, it is just that we have 10 regional offices that have been doing privacy investigations since 2003 and so we were simply retraining them and expanding their roles to take over the investigation of the security aspects of the cases. So now they will jointly investigate whether a particular complaint involves a security violation as well as a privacy violation.

ANDERSON: So up until passage of the HITECH Act, they were handling only the privacy component?

McANDREW: They were handling the privacy side and were referring cases, about 400, I think, cumulative over time, to CMS (Centers for Medicare & Medicaid Services), which was responsible for investigating the security rule cases.

ANDERSON: And that changed effective when?

McANDREW: July of last year. The HHS Secretary re-delegated the enforcement of the security rule to the OCR.

ANDERSON: Now are these the same folks that will be handling the HIPAA compliance audits or is that a different group of people?

McANDREW: That is uncertain at this time. I think in all likelihood we will not be using our investigatory staff to do the audits. We currently have a contractor that is helping us evaluate what our options are for building an effective audit program. We recognize we are going into an audit program with limited resources and we will need to carefully manage those resources to get the most bang for the buck out of this new audit authority. So we are asking this contractor to help us evaluate a number of different models for how to run an audit program and which of those models would be most cost-effective in our particular environment. We want to make sure that it works well with our ongoing compliance and enforcement efforts now, which are complaint and event driven.

ANDERSON: And when will that report be ready do you think?

McANDREW: I don't know exactly when the deliverable date is for that contract, but I do know I am expecting some status report in a couple of weeks.

ANDERSON: And when is the actual audit program likely to begin? Will that be this year?

McANDREW: I am hoping it will be this calendar year. It really will depend on the ultimate selection of what model and how fast then we can stand it up. In the interim, our investigatory staff does do, it is not an audit but it is an initiated review, we call them compliance reviews. And so that capacity does give us the ability to look into events and cases where we don't actually have a complaint but we know there has been some incident. For instance, for the breach reports that we get now from entities there is no complainant for those, but it is an incident that is reported to us so we do stand up an investigation based on those incidents. We can initiate those kinds of investigations when we need to, but the audit function, we really are hoping, as opposed to being reactive after an event has happened, they will be more proactive in terms of doing some measuring and general assessment of compliance and where weaknesses are that we can go in and provide assistance to the industry to shore up where there may be problems.

ANDERSON: So I assume it is too early to say whether the auditors themselves will be employed by your office or outsourced?

McANDREW: I am fairly sure they will be outsourced. I mean we really don't have the budget capacity right now to hire the number of people that we would likely need for an effective audit program so we will need to outsource that.

ANDERSON: And can you give us an idea of what folks at hospitals and clinics and other organizations can expect from an audit? We learned from your presentation this morning that you are going to be looking to make sure they've done a risk assessment as one factor, right?

McANDREW: Certainly with respect to the security rule, we do have...it is not a fully developed protocol, but there is a protocol that has been used by CMS to do something more akin to an audit of the security function and yes, it will start with a risk assessment. We have heard from many in the industry the need to reinforce the importance of a risk assessment and to help them figure out how to do a really good risk assessment. And so...that was our first piece of guidance that we are putting out there and we are taking comment on that through our web site. But it is very important and it would be one of the key elements that we would look at, as well as checking off the other administrative and technical and physical safeguards. I think one of the things the reported breaches are pointing out to us is that there are a lot of threats that continue to be external; there are a lot of thefts and break-ins that result in the loss of information. And so I think physical safeguards are something that need a little more attention, as well as working with people to understand the importance of encryption and other kinds of technical ways of protecting the information, even if you lose the media or the hardware.

ANDERSON: What about auditing compliance with the privacy rule?

McANDREW: With the privacy rule there are a range of possibilities there. Certainly we would be interested in focusing on how well individual rights are being delivered. We continue to get a high number of complaints about problems with people getting access to their medical records. That is really a fundamental right that the privacy rule provided to individuals and it is something that is very important to the individual and we want to make sure that everyone, all entities, know what their responsibilities are and that they are actually delivering these requests for records. We also are concerned about proper internal controls in terms of access to files. I think another problem we hear about a lot is individual staff abusing their privileges to access records, whether it is a celebrity record or a record of some relative or someone that they know is getting care at that facility. And (we are concerned with) these kinds of internal misuses of information and what controls the entity has to find these things when they happen and mitigate them through tighter access controls. That would probably be something that we would be looking toward in terms of a general compliance area.

ANDERSON: Any particular steps healthcare organizations should be taking to prepare for the day when they are audited?

McANDREW: Just the steps we would expect them to take even before the day that they come to the audit. Certainly the privacy of this information needs to be respected. There are stiffer penalties today for abuse of the privilege of getting this information and being a data steward of this information. And, you know, in terms of this conference going on now, just emphasis on making sure that your security and safeguards are there because as I said, if you don't have those safeguards, if you don't have those security policy and practices in place, then privacy is just a principle and we want privacy to be something real.

ANDERSON: In light of the major breaches that have been reported so far, are there particular lessons that we can learn from them in how to prevent breaches?

McANDREW: I would hope there would be lessons learned. I am continually surprised by the fact that you actually have to lose your laptop before the light bulb goes on and you say, "Gee, maybe I need an encryption policy here." You know, you are a lot better off if you can learn from your neighbor. Don't let it happen to you; encrypt those things now and don't wait until they are lost to suddenly decide, "Gosh that's probably a good idea." And the other lesson I hope people learn is that it is not good enough just to have the policy or to have that light bulb go on. Once you have established that as your policy, you really have to make sure that you train people and it is part of your culture to ensure that encryption happens because, two weeks after you issue the e-mail saying this is what you have to do, life takes over and people think it is too much trouble or they have to go see an IT person and they don't have time and they walk out the door without getting their laptop encrypted and bad things happen. So it is to have a good policy and enforce that policy so that we don't have to enforce that policy.

ANDERSON: Finally, any tips for those who are preparing a breach notification plan on what some of the essential elements are?

McANDREW: I think, again, it is just another aspect of your overall security and risk assessment, and if you have that in place you know the threats, you know the risks, and it is just integrating...your obligation now to notify individuals when a breach happens as well as notifying the department really immediately when big breaches happen. That is the new aspect of this. And then making sure that your incident assessment following a breach feeds back into your risk assessment so that you can better address that incident and make sure it doesn't happen again.....

ANDERSON: Well thank you very much for your time Susan. I really appreciate it.

McANDREW: Sure.




Around the Network