HIPAA Audits: A Guidance SourceAttorney Points to Government Report for Insights
Hospitals and other covered entities looking for insights on how to prepare for a HIPAA compliance audit - as well as prevent breaches - should build a self-audit approach based on the findings of a recent government report, says attorney Timothy McCrystal.
The Department of Health and Human Services' Office for Civil Rights, which enforces the Health Insurance Portability and Accountability Act, plans to conduct about 150 HIPAA compliance audits this year.
Last year's report from the HHS Office of the Inspector General focused on technical vulnerabilities identified in seven hospital audits, McCrystal, a HIPAA compliance expert, explains. These included: vulnerabilities related to wireless access, access control, audit control, integrity control, person or entity authentication and transmission security.
The OIG report provides "a reasonable roadmap for where security auditors ... would review security vulnerabilities within hospitals that receive notification of a [HIPAA] audit," McCrystal says. "We are suggesting to our clients that they understand this report and develop a potential work plan for a self-audit mechanism to go through their own operations in light of the findings within the report to see where they may have vulnerabilities."
In an interview with HealthcareInfoSecurity, McCrystal reviews the details of the OIG report, written to call attention to a lack of HIPAA enforcement. The report, for example, found that some hospitals had not updated anti-virus software and had audit logging functions disabled.
In the interview (transcript below), McCrystal also:
- Provides advice on working with business associates to prevent breaches. He reviews a long list of questions to ask vendors before entering a contract.
McCrystal is a partner in the healthcare group of the law firm Ropes & Gray. He works with healthcare clients on wide variety of regulatory issues, including HIPAA privacy and security rule compliance.
HOWARD ANDERSON: For starters why don't you tell us just a little bit about your firm and your activities in healthcare?
TIMOTHY MCCRYSTAL: I'm a healthcare partner with the law firm of Ropes & Gray. We represent a variety of healthcare clients across the country. We work with both covered entities and businesses associates on compliance with the HIPAA privacy and security rules and have, in particular, over the last few years worked on a number of data breach matters with our clients in responding to both federal and state laws.
Breach Notification Rule
ANDERSON: The interim final version of the HIPAA breach notification rule has been in effect since September 2009, and there is a final version of the rule due out some time in the coming weeks. Are there any steps you would advise organizations to take to prepare for compliance with the final version of the rule, or is it best for now to make sure all measures are in place for compliance with the current version?
MCCRYSTAL: We generally have been advising clients first to make sure that they are in compliance with the current version with respect to breach notification, and to have in place policies and procedures that enable them to meet the current expectations under the law. However, recognizing that there is some unpredictability with where the final rule will end up, we have been advising clients to put in place general plans for purposes of compliance with the expected changes in the rule so that they are not starting from scratch at the time that the rule is published and adopted and they can move fairly quickly. But because some of the changes will require amendments to policies and procedures - perhaps notices of privacy practices and the like - many of our clients are holding off on those changes until the final rule is adopted. ...
Breach Detection, Notification
ANDERSON: Based on your experience, what are the most important steps organizations can take to make sure they are well-prepared to detect breaches? What are the essential steps to take to prepare for breach notification in compliance with federal and state laws as they now exist?
MCCRYSTAL: First, with respect to preparedness, the HIPAA security rule [has] a required element that covered entities undertake a risk assessment. Now many covered entities undertook that assessment some time ago in compliance with the rule ... but there is varied experience in updating those assessments over time. ... I would suggest updating risk assessments that were undertaken some time ago to refresh an organization's knowledge of potential areas of risk and vulnerability.
Second, for purposes of detection, organizations should communicate widely to all personnel the need to report suspicious activity and potential breaches promptly so that an organization can act in the event that there is a signal that there may be a breach. Organizations also should identify the individuals to whom reports of a potential breaches should be made. In addition, organizations should have a designated team that is responsible for investigating suspected breaches and conducting risk assessments in the event that a breach occurs to determine breach notification obligations under federal and state law. Also, organizations should have clear and easy-to-understand breach notification policies and procedures in place to ensure that, in the event of an actual breach, the organization can fulfill its notification obligations at state and federal levels in accordance with time requirements set forth under the law.
We also think that organizations should set forth clear reporting obligations ... in the business associate agreements with outside vendors. And we are also seeing some organizations make significant investment in electronic intrusion and monitoring systems designed to detect and notify an organization of suspected electronic breaches. Finally, because use of data both at rest and in motion is an area where a number of organizations have had points of vulnerability with respect to breaches, we are seeing a number of clients encrypt data, in particular with respect to mobile devices and the transmission of information outside of their organization, and trying to take advantage of the safe harbor that exists for so-called secured PHI [protected health information] that is encrypted in accordance with the standards set forth in the [HIPAA breach notification] rule.
ANDERSON: More than 20 percent of the major healthcare information breaches, including several of the very largest incidents, have involved business associates. So what are the essential steps to take to make sure business associates and their subcontractors are taking adequate precautions to prevent breaches?
MCCRYSTAL: One initial very important step is diligence at the time of contracting. There is a practical reality to contracting with a large number of business associates - the covered entities are not able to monitor their day-to-day functions, but if there is diligence undertaken at the time of contracting to ask questions such as the following, we believe that this would be an appropriate risk management response for a covered entity.
For example, does the business associate have HIPAA privacy and security policies and procedures in place, including a policy regarding investigation of potential breaches? Do they have methods in place internally to monitor and evaluate compliance within their organization? Does the business associate encrypt data that it stores and transmits, and if so, what is the nature of the encryption, and does it meet applicable standards? Has the business associate been involved with or responsible for any breaches in the past? Are there any subcontractor arrangements that the business associate contemplates? If so, the covered entity may wish to review those and potentially approve those before information that the covered entity provides to the business associate is transmitted to a subcontractor.
With respect to the contract itself, we believe that covered entities should consider having clear reporting mechanisms and obligations in the business associate agreements. Incorporate audit rights into the business associate agreement so that the covered entity can periodically audit compliance with the HIPAA privacy and security requirements applicable to business associates. We believe that the covered entity, in addition to having the right to audit, should actually implement an audit from time to time to ensure compliance. Some of our clients when contracting with business associates have conducted audits of their privacy and security practices in advance of entering into a contract, and that is another approach that is particularly useful. We also encourage covered entities to pay attention to the breach identification and remediation provisions of the business associate agreement to ensure that there are appropriate steps that could be taken for purposes of the contract in the event that there is a security breach.
ANDERSON: I understand that the resolution agreements that the HHS office for Civil Rights has reached with organizations regarding HIPAA violations, including data breaches, have contained some common provisions. What are the most important lessons we can learn from these agreements?
MCCRYSTAL: One lesson that I think comes from reviewing the agreements and comparing them is that OCR is getting to the basics of the privacy and security rule in enforcement and implementation of these several resolution agreements. For example, when you look at the various resolution agreements in each case, OCR is requiring covered entities to address the issue at hand by having in place appropriate policies and procedures. They are also requiring those policies and procedures to be distributed and reviewed by relevant personnel within the organizations. In some cases, this is the entire body of employees and care providers and others working at a particular institution. So it's a fairly large number of individuals that are required to receive and read and review the policies and procedures.
OCR has been particularly focused on training related to policies and procedures. I have participated in discussions with OCR on a resolution agreement, and that was a particular point of focus - that the organization not just have policies and procedures, but that employees and others had been trained on them, understood them and were actually implementing them in their day-to-day responsibilities.
OCR is also focused on follow-up ... to make sure that policies and procedures are being observed and remediation steps taken by the organization to the extent that there is conduct that diverges from the requirements of the policies and procedures and the rule.
I think another area is also cooperation. If you look at the settlement amounts that have been paid by parties under these resolution agreements - in the case where OCR noted specifically that Cignet Health had not cooperated with requests for information in connection with remediation - the fine and penalty paid by that organization was more significant than in other instances where parties had been cooperative in resolving issues with OCR.
ANDERSON: Finally, the HHS Office for Civil Rights is conducting a HIPAA compliance audit program this year. What advice would you give organizations on how best to prepare for an audit?
MCCRYSTAL: I believe that the May 2011 report issued by the HHS OIG [Office of the Inspector General], which criticized the historical lack of proactive HIPAA compliance audits by CMS [the Centers for Medicare and Medicaid Services] is a good roadmap. ... In that report, HHS OIG identified a number of areas of vulnerability for providers based on audits of seven hospitals nationwide. The most significant vulnerabilities that OIG found were in the category of technical vulnerabilities, including vulnerabilities related to wireless access, access control, audit control, integrity control, person or entity authentication, and transmission security.
In particular, HHS OIG summarized several areas of vulnerability. One was wireless access. Five of the hospitals had wireless access vulnerabilities, including ineffective encryption, rogue wireless access points, no firewall separating wireless networks from internal wired networks, broadcasted service set identifiers from hospitals' access points, and no authentication requirements for entering wireless networks.
Another area was access control. All of the hospitals reviewed had some access control vulnerabilities involving things such as domain controllers, servers, workstations, and mass storage media used to receive, maintain, or transmit ePHI [electronic protected health information]. This included inadequate password settings in some cases, computers that did not automatically log users off after periods of inactivity, unencrypted laptops containing ePHI and excessive access to group folders within systems.
Another area was audit control. Five of the hospitals had audit control vulnerabilities involving their servers, routers, firewalls, databases and wireless access points that contained or transmitted ePHI. These hospitals had audit logging disabled for one or all of the above items, and their network administrators did not perform routine reviews of operating system and application audit logs. The OIG audit states that these vulnerabilities adversely impacted the hospitals' abilities to investigate suspicious or malicious activity, including attempts to hack the hospital's networks or compromise the confidentiality and integrity of network ePHI.
In addition, integrity control was another area of problems for these seven hospitals. All of them had integrity control vulnerabilities on personal computers and servers containing ePHI, such as uninstalled critical security patches, outdated anti-virus updates, operating systems that were no longer supported by the manufacturer and unrestricted Internet access for hospital users. HHS OIG specifically criticized cost-cutting measures, such as not updating anti-virus software, scan engines and service arrangements with operating system vendors.
Finally, entity authentication was another problem. Four of the hospitals had entity authentication vulnerabilities, including inappropriate sharing of administrator accounts and unchanged default user identification and passwords. Four of the hospitals also had transmission security vulnerabilities in the form of using inappropriate plain text remote administration tools, no e-mail encryption, and unnecessary network service in unsecure network services systems.
So looking at this report, given the fact that there was focus on all of these issues, I believe this a reasonable roadmap for where security auditors ... would review security vulnerabilities within hospitals that receive notification of an audit. We are suggesting to our clients that they understand this report and develop a potential work plan for a self-audit mechanism to go through their own operations in light of the findings within the report to see where they may have vulnerabilities.