The auditors are coming, the auditors are coming

Nothing gets the blood pumping than the thought of getting audited. And before the end of 2012 that's exactly what's going to happen to 150 entities and institutions that must comply with HIPAA. The U.S. Department Health and Human Services (HHS) awarded KPMG with a $9.2 million contract to conduct these audits which are required by law under the amendments made through the HITECH Act in 2009. Unfortunately the Act itself provides no explanation of what an audit might entail but the Office of Civil Rights which awarded the contract provides some basic details:

  • Interviews with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management, medical records directory)
  • Examination of physical features and operations
  • Consistency of process to policy, and
  • Observation of compliance with regulatory requirements


So what exactly is the 'Observation of compliance with regulatory requirements' anyways? That's a good question and for HIPAA it boils down to the privacy and protection of health records, wherever they reside and whenever they are moved. The impact this has on the IT organization is huge and affects the storage, messaging, and traffic of this data. The most important HIPAA information security considerations for IT departments and service providers managing ePHI can be found in the HIPAA's Security Rule, which requires that covered entities must:

  • Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the HIPAA Privacy Rule.
  • Ensure compliance with the HIPAA Security Rule by its workforce.


Many healthcare providers refer to the Control Objectives for Information and related Technology (COBIT) framework to help them comply with HIPAA and other compliance regulations. At Quest we simplify the collection and reporting of this data for COBIT and HIPAA in the form of Report Packs that get applied to the Quest Knowledge Portal. The HIPAA Secuirty Standards Compliance Report Pack provides a set of predefined reports that are organized in accordance with the requirements found in 164.308(a), 164.312(a), and 164.312(b) of the HIPAA Security Rule. These specifications require organizations to:


  • Collect and consolidate all user events into a central repository or database
  • Report on areas such as historical, current and changes to access privileges, as well as regular and administrative user activity
  • Capture privileged access policy violations
  • Schedule delivery of reports to stakeholders


Additional information on how Quest can help achieve HIPAA compliance can be found in this tech brief.