HIPAA Audits: How to Prepare

David Wiseman offers lessons learned
HIPAA Audits: How to Prepare
To prepare for a potential government audit of their HIPAA security rule compliance, hospitals should have a detailed information security plan and be able to prove they're carrying it out. That's the advice of David Wiseman, information security manager at Saint Luke's Health System, Kansas City, Mo., who went through a federal audit two years ago.

Speaking at a security workshop Feb. 28 at the Healthcare Information and Management Systems Society Conference in Atlanta, Wiseman stressed the need to create a "security culture" throughout the organization.

He advised hospitals to guard against assuming that everyone even those in the IT department--recognizes security as a priority. Many IT staffers who have expertise in certain applications lack awareness of security issues, he contended.

Another set of eyes

In stressing the need to have a third party perform vulnerability assessments, or penetration testing, Wiseman stressed that hospitals should not repeatedly hire the same firm to conduct the studies. It's important to frequently "get another set of eyes" for these assessments to help expose vulnerabilities, he said.

About two years ago, Saint Luke's Health System went through what was then a very rare federal audit when the U.S. Department of Health and Human Services was attempting to measure its ability to oversee and implement the HIPAA security rule.

Now the Office of Civil Rights within HHS is gearing up to conduct HIPAA compliance audits throughout the country on a regular basis, as called for under the HITECH Act.

Preparation tips

To be fully prepared, Wiseman said hospitals should:

  • Conduct a HIPAA compliance evaluation to identify areas of weakness and document risks;
  • Put together an action plan for resolving those weaknesses and minimizing risks;
  • Carefully monitor whether all compliance strategies, such as changing passwords every 90 days, are actually being carried out throughout the enterprise;
  • Update risk assessments whenever an application is upgraded or replaced; and
  • Make extensive use of encryption.

Wiseman, however, lamented that most clinical information systems perform poorly if their databases are encrypted. He called on vendors to remedy this situation to help improve security over the long haul.

If auditors know that a hospital has already identified areas of security weaknesses and are working on resolving them, that will improve the organization's audit results, Wiseman concluded.

Listen to an exclusive interview with Wiseman.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.