Covered Entities and many Business Associates are keenly aware of the initiation of the latest round of HIPAA Audits being performed by KPMG, on behalf of the Office for Civil Rights. Powered by $9.2 million in tax payer funding, KPMG was selected to perform the audits in two phases. The Covered Entity and Business Associate identification and catalog was based upon the selection criteria established in a previous phase in a public contract awarded to the firm of Booz Allen Hamilton.
So what’s happening right now? Where’s our promised Audit Protocol so that we can prepare?
These are the first two questions we hear almost every day.
Linda Sanches, OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits recently presented at the NIST / OCR Conference, Safeguarding Health Information: Building Assurance Through HIPAA Security. Linda presented some key information, but did not deliver or present the Audit Protocol we have all been waiting for. Based upon results from the first 20 pilot audits, here are some of the key takeaways. The top Security issues included findings across Covered Entities related to:
- User Activity Monitoring (Logging)
- Contingency Planning (Disaster Recovery, Business Continuity, Business Impact Analysis (BIA))
- User & System Authentication & Data Integrity
- Media Reuse and Destruction (Think USB drives, Hard Drives, Optical Media, etc.)
- Lack of conducting a Proactive Risk Analysis
- Granting, Modifying, and Removing User Access
- Incident Response Planning, Mitigation, Remediation of Core Issues
- Encryption (Data at Rest)
- Physical Access Controls (Access to Data Centers, Workstations, Mobile Devices)
- Conduct a robust Risk Analysis.
- Find all of your PHI, not just the obvious PHI (Consider unstructured data, archived data, etc.)
- Map the data flow of PHI in to, throughout, and out of your organization. Without this knowledge, it is impossible to achieve compliance.
- Determine all of the lines of business affected by HIPAA.
- Create, if needed, update always, and train workforce members on your HIPAA and Security Policies, supporting Procedures, and Practices.
1. Department of Health and Human Services, Office for Civil Rights, Audit Program Home Page, http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
Please contact RISC Management & Consulting to schedule a webinar on this topic, or for assistance developing your OCR / KPMG HIPAA Audit Response Kit at http://www.RISCsecurity.com