HIPAA Audit Protocol Lacks MeatHealthcare Security Experts React to Newly-Released Guidelines
The recently-released HIPAA Audit protocol, issued by the Department of Health and Human Services' Office for Civil Rights, lacks the kind of meaty details many had hoped to see. This is consensus of several healthcare security experts interviewed about the protocol.
"The audit protocol is probably a lot less sophisticated than many might have hoped for, and I'm sure sufficiently simple for those who were hoping for that outcome," says Mac McMillan, CEO of it security consulting firm CynergisTek and chair of the Health Information Management and Systems Society's privacy and security policy task force.
McMillan is the author of the new educational webinar, Dept. of Health & Human Services HIPAA Audits: How to Prepare.
Others agree with McMillan. "The audit protocol is not that helpful. In most cases it just parrots back the regulation with little additional information," says Kate Borten, president of information security consulting firm The Marblehead Group.
There are also gaps. "Where there is detail, it's uneven," Borten says. For instance, while the protocol is fairly deep on encryption, "There's no detail on transmission security," she adds.
The protocol, unveiled in June, includes 165 areas of performance evaluation, including 77 for the HIPAA security rule, and 88 for the HIPAA privacy rule and HIPAA breach notification rule. It was developed by OCR and KPMG, the consulting firm that has been hired by HHS to conduct HIPAA audits under a pilot program that's running until the end of December.
Not everyone thinks the current protocol is deficient. "It's well done," says John Halamka, CIO at Beth Israel Deaconess Medical Center in Boston, explaining that the protocol provides a "useful rubric for assessing the status of an organization's compliance."
The protocol is not intended to tell organizations how to develop policies, but is rather a tool for assessing compliance, he says. BIDMC will combine the protocol and flesh out details using a subset of the NIST 800 framework as a means of benchmarking our policies and technologies.
"The OCR audit protocol, plus a subset of NIST 800 implementation guides, provide a roadmap for compliance success," says Halamka, who is also co-chair of the HIT Standards Committee, an advisory group to the Office of National Coordinator for Health IT.
Work in Progress
While some industry observers and insiders had hoped for more details in the protocol, OCR officials defend the level of specificity that's contained in the HIPAA guidance.
The rules weren't designed as one-size-fits-all set of requirements for all the various types of covered entities that could be audited, says Susan Sanches, senior adviser and health information privacy lead at OCR in a recent interview.
So far, only 20 covered entities, including health plans, doctor groups and hospitals have been audited, and the protocol was developed based on that work. However, as more audits are conducted, the protocol will probably continue to be refined and clarified, she says. OCR expects KPMG will complete 115 audits by the end of 2012. When the pilot program ends, Sanches says she expects audits to continue in 2013.
"We made some changes based on the experience of the first 20 audits, and I expect there will be further changes because ... we'll have more experience with the next group," says Sanches.
Some Meat on Bones
While the protocol isn't as detailed as he had hoped, "There was some expansion of the specifications with respect to expectation," says McMillan.
For instance, in the HIPAA rule, evaluation is minimally explained, he says. "But in the protocol it is clear we're talking about technical evaluation of the external and internal technical controls environment, and that means vulnerability testing."
In addition, the protocol makes frequent reference to assessing technology to achieve compliance with certain specifications, and clearly signals the expectation that organizations need to consider seriously technology when addressing compliance, says McMillan.
Despite the lack of specificities in some areas, "Overall the protocol does provide enough information for organizations to derive a general expectation for the audit and what their program needs to cover," McMillan says.
"The best way to be ready for an audit remains having a good sound privacy and security program based on a recognized standard and well documented," he advises.