HIPAA Audits: Documentation Is KeyEvidence of Compliance Efforts is Critical, Expert Stresses
"If auditors get a sense that you can't find your own documentation, they will know that the documentation is not really referenced or readily used in your organization," Baker says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below).
KPMG, the company hired by the Department of Health and Human Services' Office for Civil Rights, will launch HIPAA privacy and security rule compliance audits in the months ahead (See: McAndrew Explains HIPAA Audits).
When auditors come, it's important for healthcare organizations to be able to provide materials that show they are working toward being HIPAA compliant. "If you are organized and you can produce your documentation, it will give auditors comfort that this documentation is leveraged in the organization," Baker says.
In the interview, Baker recommends healthcare organizations have the following documents ready:
- Security and privacy policies and procedures;
- A risk assessment and corrective action plan;
- An organizational chart outlining privacy and security responsibilities;
- A technology inventory, including all security tools used;
- Business associate agreements;
- An incident response plan; and
- HIPAA compliance training materials.
Baker is the co-founder and CEO of Meditology Services, which advises organizations on risk management as well as privacy and security compliance issues. He formerly served as chief strategy officer at the Health Information Trust Alliance, and he continues to serve as an adviser to HITRUST.
HOWARD ANDERSON: Why don't you start by telling us a little bit about your firm and also how you serve as an adviser to the Health Information Trust Alliance?
CLIFF BAKER: I started the firm last year called Meditology Services. ... We help a number of clients with IT risk management and compliance, particularly in the security and privacy area. We also do a lot of work in ... EHR deployments. I still do a lot of work with the HITRUST Alliance ... I still serve as an adviser and in a chief strategy role. ...
Questions from AuditorsANDERSON: The HHS Office for Civil Rights has announced plans to launch HIPAA compliance audits in the coming months. OCR officials have indicated that the audits likely will focus on overall compliance with the HIPAA privacy and security rules, rather than focusing in on one specific narrower issue. What are some of the key questions auditors are likely to ask that folks should be preparing for?
BAKER: I think it's important to keep in mind that the contract have been awarded to KPMG so ... if you are thinking about an audit, you should probably think about the way Big Four audit firms typically conduct their audits, and that's probably the same way in which these audits are going to be conducted. When they come in, they're going to want to see clear accountability. So out of the gate, you should have somebody responsible for interfacing with auditors who takes accountability for your security program. ... The auditors are going to want to make sure that you are organized and that there is somebody that is clearly accountable for the information security program at your organization.
They will want to know about any prior audits and any progress you are making to [remediate] findings related to those audits. ... They will want to see a risk assessment and they will want to know the findings of that risk assessment and what corrective action plans you have in place to address any of those findings. ... Then they will probably focus on areas that are typical challenges for the industry. Some of the key areas that OCR has cited, and that is typically focused in on [by auditors], are things like ... incident detection and response; reviewing and monitoring of log files; secure wireless access; managing user access controls and passwords; securing all the devices; patch management and malware protection; and role-based access control. ...
They'll probably ask you. ... Have you had any incidents? The right answer is not "no." They would typically expect that you have had incidents and they will want to know what you've done to handle those incidents. Then also they will want to know ... what business associates you share your data with and do you know where your data is going and how it is being handled.
Preparing Documentation for AuditsANDERSON: Auditors will ask for certain documentation in advance, according to the Office for Civil Rights. What kinds of documentation would you suggest that an organization have ready to help prove their compliance?
BAKER: It is important for an organization to have their documentation organized and ready. If auditors get a sense that you can't find your own documentation, they will know that the documentation is not really referenced or readily used in your organization. If you are organized and you can produce your documentation, it will give auditors comfort that this documentation is leveraged in the organization.
Examples of the documentation that you should have ready are your polices and procedures, so those should be ... up-to-date. ... If they haven't been updated since 2005 or 2003 for example, you want to make sure that those reviews are conducted and those policies are up-to-date. You will want to have your risk assessment results available, as I just mentioned. OCR wants to know that you are performing a risk assessment ... on a reoccurring basis. ... You want to have ... the results of a risk assessment handy and then the corresponding corrective action plan handy.
[Also have documentation] of any prior audits that you may have conducted. Also, have an organization chart ... to demonstrate that you have clear accountability for information security and ... privacy in your organization. You will want to have a technology inventory ready. They will want to know that you know where your systems are, and also what security tools you deploy - what do you use for virus management, patch management and vulnerability management, as examples. They will want to see potentially BA [business associate] agreements and incident response plans, and configuration for wireless access, password settings, servers etc. When they come inside, they may also look at things like user access logs, system configurations and any evidence of you handling and supporting incident response. They will probably also look at training and awareness program materials as well.
Conducting a Self-AuditANDERSON: Should healthcare organizations conduct some sort of self-audit to help prepare? And if so, what are the key steps involved in that?
BAKER: There is actually ... some difference of opinion about this topic in the industry. Some organizations believe that you shouldn't try and hand regulators their findings before they come on-site, i.e. don't do an audit and then hand over those results to the regulators before they actually conduct their own audit. Another school of thought, though, is that it is better to be prepared and for you to understand what your issues are and to be able to demonstrate that you are remediating those issues and have a plan to fix those issues over time. That is the position that I support. I think it puts an organization in a stronger position if they can demonstrate that they are doing their due diligence. ... You may have findings as a result of your own audits, but it is a much stronger position for an organization to be discussing timelines and priorities of remediation versus being surprised by [auditors'] findings. In those circumstances unfortunately, either management or security and privacy officers will be in a reactionary mode and will have to agree to timelines or stipulations provided by the auditors, versus providing your rationale and your own priorities around remediating issues that may exist in an organization.
I'm a strong supporter of doing those self-audits, knowing what the situation is in your own environment and having a plan and response to how you are remediating those issues -. even if it is over a multi-year period, that is OK as long as you have some plan in place to remedy those situations.
Critical Steps for Audit PrepANDERSON: Finally, are there any other critical steps for audit preparation that you would like to highlight?
BAKER: ... In summary, have somebody in the organization ... accountable for facilitating the audit. You want to be organized. There is going to be a lack of credibility for your security program if you appear to be disorganized - if it is a last-minute rush to pull together documentation. Have the documentation on the ready and be prepared to provide it to the regulators. Then as I mentioned, with respect to the self-audit, you want to know where you stand and be prepared to defend your decisions.
And I want to emphasis this point: It's important for an organization to have some reference base for their decisions. I'm sure many organizations employ very experienced and skilled security and privacy individuals, but at the end of the day you don't want this to be a debate between the experience of your security and privacy people and the auditors.
It is a much stronger position to make sure that you are grounded in some reference source. Make sure you reference something, whether it's the Health Information Trust Alliance's Common Security Framework whether it is the SANS' list [of key exposure areas] or whether it's the NIST [National Institute of Standards and Technology] security standards; it doesn't matter. Make sure though that your rationale for risk and then your rationale for the corresponding controls is based on some reference source. That will help you to defend your position with the regulators.
It is appropriate for you to ask the regulators to defend their recommendations. As I mentioned, every audit will reveal findings and every audit will include recommendations, and it's completely appropriate for you to not necessarily agree with their results of the audits or the results of those findings and ask auditors to support their positions based on their reference sources. ... That is a strong position to be in. Know where you stand, be prepared to defend your decisions and make sure they are rooted in some reference source or standard in the industry.