HIPAA Privacy Audits – How Badly Am I Screwed?

What the Coming HHS Audits Mean for Your Healthcare System With the announcement that KPMG really is going to start performing HIPAA Privacy Audits in the New Year, we’ve had numerous conversations with healthcare providers around getting their privacy and security programs up to scratch. It’s a well-known secret in the healthcare industry that HIPAA compliance does not receive the attention (or the funding) that it should. There are of course exceptions and I should note that most security and privacy professionals in the healthcare industry take their jobs very seriously and honestly do consider the protection of patient data to be their number one priority. But, it’s often difficult to do your job if you don’t have the funding or resources needed to do it properly. The federal government hasn’t helped – creating a mandatory requirement, but not putting in place any mechanism for testing compliance with that requirement rapidly creates a sense of non-urgency. What’s the point of REALLY making sure that we’re HIPAA compliant if no one’s going to check? It costs a lot of money, it’s annoying to doctors, it’s not even the slightest bit sexy, and it’s going to impact options to the organization. And, if none of your competitors are limiting themselves and spending extra money on ensuring HIPAA compliance, a healthcare executive is going to see true HIPAA compliance as a competitive disadvantage. Now it looks like everything is going to have to change. Don’t believe me? Think the audits are going to be ‘no big deal?’ Let’s draw a parallel with another compliance requirement – PCI DSS. For those of you not familiar with PCI, you should be – you probably have to comply with this as well. In any case, it’s the data security standard inflicted on merchants and service providers (companies that facilitate credit card payments) by the large credit card brands (VISA, MasterCard, etc.) Anyone that takes (or processes) a credit card for payment needs to be PCI compliant. Although the card brands catch a lot of flak for ‘inflicting’ PCI on the world, the truth of the matter is, something needed to be done. Credit card data was not being protected and it was costing the card brands a LOT of money in fraudulent charges and impacting consumer credit ratings. If they hadn’t created their own standard the government most likely would have. When PCI was first rolled out to the community there were a lot of merchants that thought it was no big deal, but they didn’t plan on three things:

  1. The card brands were perfectly willing to let non-compliant merchants make ‘examples’ of themselves (link, link)
  2. The legal community quickly learned what ‘PCI-compliant’ meant and how not being PCI-compliant could be used in things like multi-million dollar class-action lawsuits
  3. The PCI standard gave consumers a benchmark against which to judge the merchant’s brand.

These points have been effective because the card brands maintain a unified front when it comes to PCI (they all agree to the codified requirements as the baseline required by merchants to transact credit cards securely) and because they have a mandatory audit mechanism in place that gives them the power to take action if the merchant or service provider isn’t complying with PCI. I think that we have the same dynamic going on now with HIPAA.

  1. KPMG is going to be looking to justify their million dollar contract with the government – they will find issues with compliance during their audits.
  2. The legal community is already very aware of privacy breaches in healthcare and what that means for things like multi-million (and multi-BILLION) dollar class-action lawsuits (link, link, link)
  3. Everyone now has a benchmark against which to judge how much a healthcare provider cares about their patients’ data

I think that it’s time to figure out a plan on how to really address HIPAA – both in the short-run (i.e. achieving an initial compliant state) and long-run (maintaining compliance moving forward.)  If you aren’t familiar with the recent announcement involving the upcoming audits here’s a link on the HHS site which includes a sample of the letter that will be sent out to organizations.  Also note – the first round of audits is going to focus on Covered Entities, but future rounds will also include Business Associates. For some additional information on how to put together a workable approach to really achieving HIPAA compliance please see material on the NetSPI blog and NetSPI services pages.  Also – NetSPI will be putting together whitepapers, additional blog posts, and (possibly) a webinar on this topic over the next couple of months.  Please check back here for more information, make a comment, or send me an email (link below) if you would like to discuss.

Discover why security operations teams choose NetSPI.