The trusted source for
healthcare information and
HIPAA Regulatory Alert
Audit raises concerns of data security requirements
Audit first of its kind
A U.S. Department of Health and Human Services (HHS) audit at Piedmont Hospital in Atlanta is raising concerns in the information technology industry that there may be more HHS enforcement actions relating to HIPAA data security requirements.
Computerworld says the audit was the first of its kind under HIPAA and involved 42 items HHS wanted information on, according to documents it obtained. Among those: the hospital's policies and procedures on 24 security-related issues, including physical and logical access to systems and data, Internet use, violations of security rules by employees, and logging and recording of system activities. Also requested were IT and data security charts and lists of the hospital's systems, software, and employees including new hires and terminated workers.
Security Director Randy Yates at Houston's Memorial Hermann Health System told the magazine that everyone in the industry is aware of the audit and said it contributed to approval of his $1.3 million budget item for data encryption in the next fiscal year. Yates said Memorial Hermann did a gap analysis after hearing of the audit and took steps to improve the areas in which it was at the greatest risk for noncompliance. He expressed confidence in the measures taken to comply, but said a lack of detailed public information about what HHS was looking for (neither the agency nor the hospital has confirmed the audit) was "a little bit disconcerting."
Healthcare Information and Management Systems Society Director of Privacy and Security Lisa Gallagher said it was puzzling that it appeared the audit was conducted by the HHS inspector general. She said most people in the industry have assumed that any security-related enforcement actions would come through the Centers for Medicare & Medicaid Services (CMS).
"Nobody really knows why the inspector general did it or what's going to be their criteria for selecting the next one," she said. She also voiced concern about the checklist approach the investigators appeared to take.
One analyst said he thought HHS decided on the audit partly because it has been under political and media pressure to enforce the HIPAA rules. He expects to see more audits in the future but doesn't think they will be too frequent, partly because the agency doesn't have enough staff to devote to them. And, despite industry buzz, he doubts the audit will lead many other organizations to step up efforts to comply with security requirements.
"Until at least several audits have been completed, and the industry sees action to enforce the HIPAA security rules, I think serious attention to compliance will not be a major focus," he said.
But Peter MacKoul, president of HIPAA Solutions, based in Portland, said it's not only HHS enforcement that those handling medical data need to be concerned about. Increasingly, he said, law enforcement authorities and courts are using and interpreting HIPAA in ways that could have broad implications.
Last year the North Carolina Court of Appeals overturned a trial court decision to dismiss a HIPAA-related complaint brought by an individual against a psychiatrist's office. MacKoul said the verdict basically allowed the plaintiff to use HIPAA as a "standard of care" to bring an individual action against an organization. He also said while HIPAA initially applied to electronic medical records, courts have extended it to cover paper records.