Until now, the data security provisions of the Health Insurance Portability and Accountability Act received scant attention from regulators, particularly compared to enforcement activity for other federal information security mandates like the Sarbanes-Oxley Act or the Gramm-Leach-Bliley Act.
That is beginning to change, as federal regulators complete their first HIPAA security audit and prepare to issue more detailed compliance guidelines. Compliance executives are starting to take notice.
Borten
The Centers for Medicare and Medicaid Services (CMS)—the division of the Department of Health and Human Services that administers HIPAA—is tightening up requirements for remote access to health care data, to better protect information stored or retrieved on laptop computers and wireless devices. The agency issued security guidance in December; the proclamation was, according to Kate Borten, founder of consulting firm the Marblehead Group, the first time CMS sounded “slightly serious or slightly threatening.”
The HHS Office of Inspector General launched its first official HIPAA compliance audit in March (more than four years after the security rule was published) targeting Piedmont Hospital in Atlanta. The purpose of the audit is primarily to review how the hospital addresses its HIPAA obligations, and the findings and recommendations will be made public, according to OIG spokesman Glenn Baly. CMS will then determine any follow-up action.
Mitchell
Jay Mitchell, general counsel at Piedmont Healthcare, the parent company of Piedmont Hospital, says HHS didn’t tell the organization why it was chosen first, but he views the experience as a chance to confirm that the organization is in compliance.
“It's going fine theoretically. We take it very seriously,” Mitchell says. “We certainly don’t mind the government attention. We’re looking at it as a learning opportunity.”
The hope among data security experts is that the increased government interest will spur health care organizations to take HIPAA as seriously as other organizations take regulations like Sarbanes-Oxley or Gramm-Leach-Bliley.
Common Compliance Themes
HIPAA shares a number of key information security and confidentiality principles with other federal regulatory obligations, including SOX and Gramm-Leach-Bliley, as well as state and industry-driven regulations. Regulations stemming from SOX, HIPAA and Gramm-Leach-Bliley all seek to ensure the confidentiality of certain types of data, and they all require auditing capabilities or the ability to measure against established controls.
For the most part, the information targeted for protection varies under each law, and IT experts say that no single security solution will cover all compliance obligations. However, many experts advise that a solid security framework based on best practices will go a long way toward compliance with all of the regulatory mandates.
“Treat HIPAA like any one of your data protection requirements, and adopt a best practices approach that will allow you to address not only HIPAA but also any new requirements that come out,” says Mac McMillan, CEO of CynergisTek , an IT consulting firm. “Just about every hospital in America has one or more set of standards or regulations that they’re complying with. HIPAA is just one piece of the puzzle.”
For the Southwest Washington Medical Center in Vancouver, Wash., a best-practices approach to regulatory compliance is the only logical way to go, according to Christopher Paidhrin, IT compliance and security officer for the medical center.
Paidhrin
“There absolutely has to be a uniform strategy, planning document and implementation strategic map,” Paidhrin says. “You have to know where you start, how you measure, and what you’re aiming toward.”
The medical center laid the foundation for all of its information security requirements by implementing ISO management and security standards 17799 and 20000. Regulators are increasingly familiar with the standards, and recent revisions to HIPAA, including new naming conventions, reflect a closer association with them, Paidhrin says.
“None of the [federal or state] regulations are as extensive or as exhaustive as the ISO standards,” he adds. “In most cases you’ll exceed the minimum standards of the individual regulations.”
Unifying The Compliance Effort
In complying with the access control requirements of HIPAA and other regulations, Southwest Washington deployed single sign-on technology, called OneSign, from Inprivata Inc. With more than 3,000 internal users, 500 external physicians, and 1,500 external medical support staff needing access to its data, the hospital needed a uniform gateway for user authentication. With OneSign, Southwest Washington can meet several of HIPAA’s requirements and other access control requirements at once.
“HIPAA and Sarbanes-Oxley and a lot of other regulations seem to zero in on accountability and privilege, making sure that the correct users are seeing the correct information,” says Greg LaRoche, Imprivata’s product strategy director. “The regulatory standards don’t overlap 100 percent because their objectives are different. But there are commonalities in user authentication and establishing policies.”
ENFORCEMENTS
The number of HIPAA investigations and their conclusions, by year.
Year
No Violations
Corrective Action
Total
2003
79
260
339
2004
359
1,033
1,392
2005
642
1,161
1,803
2006
895
1,571
2,466
HIPAA Office For Civil Rights
Many IT vendors are trying to help consolidate and centralize the compliance effort. Procuri, an on-demand supply management provider, offers technology that helps ensure that everyone who has access to private data is covered by a business associate agreement (informally called a BAA), which is a HIPAA requirement.
Procuri TotalContracts lets organizations track all of their BAAs and present a consolidated, up-to-date report in the event of an audit.
Minahan
“The system will track whether contractors have completed their agreements and certified that they are protecting this information,” says Tim Minahan, Procuri’s marketing chief, adding that it helps organizations consolidate multiple compliance efforts by allowing them to establish a single reporting process.
“If you get to the core intention of both HIPAA and Sarbanes-Oxley, it’s really about information integrity, process audit ability, and transparency,” Minahan says. “Some of the requirements are similar, even though you’re reporting on different things.”
Piedmont Healthcare recently chose the Procuri TotalContracts platform to manage and track contract compliance. The system allows compliance officers to locate all contract compliance information in one place.
“We have to make sure under HIPAA that there’s always a BAA on file,” says Mitchell at Piedmont. “With a lot of large health care systems, there may be contracts that are stored or retained in various parts of the system. I would like to be able to go to one place and know with a good amount of confidence that they are there.”
No comments yet