Can Your Hospital Pass an HHS Security Audit?

The HIPAA Privacy and Security regulations have been around since 2006.  Much has been written about data privacy and the unauthorized access to protected health information.  Often, however, hospitals take compliance with security requirements for granted.  It is easy to guess why, as this part of the HIPAA regulations concerns the creation of technical and other policies (i.e., the technical, physical and administrative requirements) designed to protect health information.  This is the “detail” where only the brave, and technologically savvy, dare to tread.

 A recent study by the Office of Inspector General for Health and Human Services revealed that hospitals may not be compliant in key security areas.  In some respects, the report chides CMS and the Office of Civil Rights for not enforcing the HIPAA Security rules.  The report notes that:

CMS’s oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Security Rule. As a result, CMS had limited assurance that controls were in place and operating as intended to protect ePHI, thereby leaving ePHI vulnerable to attack and compromise.

Specifically, the report noted that “audits of 7 hospitals throughout the United States identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge.”  These were deemed to be “high impact” vulnerabilities which the study defined as those that:

(1) may result in the highly costly loss of major tangible assets or resources;

(2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or

(3) may result in human death or serious injury.

The audits were conducted at hospitals in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas, and focused on the hospitals’ implementation of:

(1) the wireless electronic communications network or security measures the security management staff implemented in its computerized information systems (technical safeguards);

(2) the physical access to electronic information systems and the facilities in which they are housed (physical safeguards); and

(3) the policies and procedures developed and implemented for the security measures to protect the confidentiality, integrity, and availability of ePHI (administrative safeguards). 

It concluded that:

Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence of complaints, it provided no evidence that it had actually done so. The only reviews OCR mentioned were related to our hospital audits. In the absence of evidence of a more expansive review process, we encourage OCR to continue the compliance review process begun by CMS in 2009.

An audit in Pennsylvania is still underway.

OCR responded by cautioning, correctly, that few conclusions could be drawn about the state of compliance of all hospitals from a narrow audit of only seven facilities.  Nevertheless, the Audit could put political pressure on OCR to step up compliance efforts.  We can only hope that OCR does not seek to appease these criticisms by increasing fines to providers.