HIPAA Compliance Challenges Due to OCR’s Enforcement Rules — an Auditor’s Point of View [Q&A]

Joe Grettenberger and Dan Anderson

A few weeks ago, we hosted a webcast, "How the Latest OCR Enforcement Trends Impact Your HIPAA Compliance—An Auditor’s Point of View," with independent auditors Joe Grettenberger and Dan Anderson from Compliance Collaborators discussing IT compliance topics.

In the webcast, they discussed current IT security challenges within the healthcare industry and how those challenges tie into the latest statements from the Department of Health and Human Services (HHS) Office of Civil Rights (OCR). At the end of the webcast, they took a few minutes to answer our attendees’ burning questions.

Joe and Dan did not disappoint! Below is the transcribed question and answer portion of the webcast.

Q: How often should organizations be performing a Security Risk Analysis (SRA)?

Dan Anderson: I think it should be at least yearly, but organizations may want to move towards quarterly and then get a continuous process in place. And eventually, moving to a continuous/ongoing audit is best.

Q: How long does a security risk analysis take?

Joe Grettenberger: I’ve seen SRAs go as fast as a week or less in the smaller organizations and that’s with everybody working together very quickly. It could stretch out to as far as 3 or 4 weeks, unless you are a very large organization. But typically, it’s not recommended to let it stretch out too long.

DA: It varies all over the place. If you’re working in a large organization, it could take a quite a lot of time, months even, to get your arms around everything that you have to do. So it just depends on the size of the organization. If you are a small community hospital that only has 20 beds and it is the only facility you have, it could be a lot easier to get your arms that, so that could be done a lot more quickly.

Q: Do audits do get scored like tests? For example, are organizations given X percent in order to pass?

JG: Under HIPPA you have required safeguards. You absolutely have to have them. So if the answer is no, then you have to build an action plan: how you are going to get that safeguard into place, that missing safeguard or deficient safeguard. Now there are also addressable type of requirements, and those that are addressable mean that you need to read the intent of addressable requirements and then provide an explanation if you’re not doing exactly what it says and prove you’re meeting intent of it. Again, now all of these are requirements, so you have to address them. If you’re doing your risk assessment and as you’re going through requirements in the HIPAA security role your answer is “well we kind of have that, but really don’t” or “we have 50 percent,” then you should build an action plan around that and mediate that because you need to get them all.

DA: Like Joe, I haven’t seen any specific numbers or grades provided in any way. But everyone has their own way of measuring it. One of the things I know the OCR looks at when addressing requirements is how serious do the addressable requirements get looked at, and they may only be required to be addressable; but, is the organization taking the requirements seriously and what are they doing about it or are they just writing a statement to say “yeah it’s addressable but we’re not doing anything about it.” That’s not viewed in the same light, even though there is not a grade or number put against that.

Q: Is it acceptable for an organization’s IT security staff to conduct the SRA or is it highly suggested for an external consult or vendor to conduct it?

JG: My thought is the answer is yes. You can have IT staff conduct a SRA, especially if you have knowledgeable people. They really need to be knowledgeable and familiar with the not only the security rules but what’s reasonable out there in the industry. Within HIPPA you have physical safeguards like locks on doors, alarm systems, administrative procedures, and technical, so you have your three categories there. When it comes to what is sufficient with a particular safeguard you do need someone who is familiar enough who can judge according to not just best practices, but what is reasonable for the organization. Now that is a good discussion to get multiple people involved in. They should be a good judge of what’s reasonable as they determine whether you’re meeting a particular requirement.

DA: I would agree with Joe, it’s not against law or anything to have the same people doing your networks, operations and security to do risk assessment. There is a little bit of danger there though. A lot of times those same people are going to believe that everything is good and there is a little bit of denial of how good it is. While it is not prohibited, I would suggest having an internal audit group that has some certified IT auditors on board and/or extend an external consultant to come in and give you a checks and balances. It’s kind of like having your independent financial CPA come in and tell you how well you’re doing at the end of the year. I like to see both. I like to see the engagement in the IT teams and that they’re involved with the remediation or could be involved with risk assessments. But it comes down to how honest they are about it themselves. It’s nice to have a second or third opinion.

JG: Absolutely! That’s the value of having an independent party coming out. Not only are they competent and familiar, they are professional. Dan and I are biased, we believe there should be a certified auditor doing this kind of work. So if they’re not certified auditors, you can still do it, but you probably should have some guidance out there. That independence really helps garner credibility. And so I think it depends on the situation you’re in, the size you are, the resources you have, and whether you’re already under scrutiny. If you’re already under scrutiny by OCR or some other enforcement organization, I think it’s best to have an external auditor.

Q: What are some of the tools available that can assist organizations with performing a SRA?

JG:  There are many tools available, including spreadsheets. Dan and I probably both have used spreadsheets for most of our career. People still do that, they still use spreadsheets. Increasingly in the last few years, there are vendors coming out with software that is purpose filled for either security risk assessment itself, which kind of a niche area still, or overall GRC program. So you’ll see purpose-built solutions that are out there. The government also has a purpose-built risk assessment tool, they call it their security risk assessment tool. That is available on the HHS website. I’ve used the tool. If you are a small organization and you do not have multiple locations, you can identify multiple roles and actors, all the people that should be included in the risk assessment; you can work with this. If you’re a large organization with multiple locations and multiple HPPS systems, that’s going to be pretty difficult to use. I would recommend steering away from the tool unless you are a smaller organization that does have a lot of locations and systems, etc. And it’s easy enough to do a Google search on the purpose built versus the IT GRC type risk assessment software that’s available.

DA: At Cyber Eleven, we have our some of our own internal processes and tools we use. We do a lot of work on spreadsheets as well. Our sponsor certainly has very viable offerings in the GRC space. But also, if any of you are familiar with Gartner and you consider the Magic Quadrants, there are a lot of companies that offer the purpose-built software that is good to work with. It comes to down to, whether you build it, spreadsheets, etc. Just make sure you’re doing it, that you’re serious about it, you have a time, it’s funded and senior leadership approves it. All of things really come into play.

Want to see more from the webcast?