Official HIPAA Compliance Audit Protocol Published - Of particular interest to Redspin is the section dedicated to IT security.

1. Official HIPAA Compliance Audit Protocol
Published
July 2, 2012
The Department of Health and Human Services’ Offices for Civil Rights (OCR) have finally published the official protocol
and detailed procedures guiding their HIPAA Audit program. The protocol, developed by subcontractor KMPG together
with OCR, includes 77 evaluation areas for security and another 88 areas for privacy/breach notification. Here’s a link to
the publication which is conveniently keyword searchable. http://ocrnotifications.hhs.gov/hipaa.html
Of particular interest to Redspin is the section dedicated to IT security. As former White House Cybersecurity Czar
Howard Schmidt said recently, “Without security, there can be no privacy.” We were pleased, but not surprised, to see that
the audit protocol maps directly to the HIPAA Security Rule sections§164.308, §164.310 and §164.312.
For the past several years, we’ve advised our clients that any official HIPAA security audit program would necessarily
revert back to existing HIPAA Security Rule provisions “on the books” since 2005. It’s how Redspin designed its own
methodology for our HIPAA Security Risk Assessments (click here to download our crosswalk map) and we were 100%
confident that our approach would pass muster with any subsequent interpretations.
Further, at the June 7th HIPAA Security Rule conference, Linda Sanchez, Senior Advisor and Health Information Privacy
Lead at OCR, reported that the results of the first 20 OCR/KPMG pilot audits showed that security compliance was a far
more troublesome area than privacy compliance. More specifically, 74% of the findings were security gaps or breach issues
compared to 26% policy violations. Against the backdrop of the transition of the healthcare industry from a paper-based
system to electronic health records, Redspin continually stresses that IT security is job one.
OCR concurs. Ms. Sanchez went on to recommend “next steps” that all covered entities should implement not simply as
preparation for a potential audit but as best practices. Her first suggestion? Conduct a robust review and assessment.
Next? Determine stakeholders – all lines of business that are impacted by HIPAA regulations. Then identify all of the
protected health information (PHI) within the organization and map its flow within the organization and to/from business
partners.
In conclusion, the audit protocol itself is informative at least in the sense that there are no surprises, but neither does it
offer any more explicit guidance than what is in the HIPAA Security Rule. Redspin continues to advise our clients that
safeguarding PHI is the primary objective. By conducting a comprehensive security risk analysis and implementing a
remediation plan that address the findings in a diligent and timely manner, a covered entity will not only improve its
security posture and reduce risk, but will also have nothing to fear from an OCR/KPMG audit.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM