Courion Corporation

HIPAA Compliance – This Time We Mean It

With the rash of regulatory compliance policies thrown at virtually every industry over the last decade, healthcare was not immune (no pun intended).  Understanding that advances in technology would have a major impact on the privacy of health information the Health Insurance Portability and Accountability Act (better known as HIPAA) includes scrutiny on patient privacy and handling of that information. 

One critical aspect of privacy protection is the access to electronic health information.  Understanding who has access to this data, if this access is appropriate, how did they get it, and is it effectively taken away when no longer needed, are all key ingredients of an Access Assurance strategy and a critical part of the controls that are required for HIPAA compliance. 

Still many of the healthcare IT and audit professionals I speak with regard HIPAA much like a teenager does music piracy.  They are not that fearful of non-compliance and don't believe they are ever going to get caught.  While many pointed at Atlanta's Piedmont Hospital and Seattle's Providence Health as the poster children for the impact of HIPAA non-compliance after being audited and penalized back in 2007 and 2008 respectively, these one-a-year headline catchers weren't enough to scare people too badly.  As a result, HIPAA is more of a way to secure budget than a driving force to boost internal controls around protecting patient data.  Many folks I speak with tell me they are far more worried about the impact on resources and the organization to implement tighter security and controls than they are in fines for non-compliance.

Well clearly I wasn't the only one hearing this as the Office of the Inspector General (OIG) decided to take a deeper look into Health and Human Services' (HHS) oversight of HIPAA and added HIPAA review to its FY09 Work Plan with a strong focus on the HIPAA Security Rule and HIPAA Privacy Rule.  OIG came down pretty heavily on HHS's failure to enforce HIPAA rules (ModernHealthcare.com coverage and OIG Report).

Apparently they weren't kidding around and HHS is getting the message.  Last month CVS Caremark agreed to pay $2.25 million to settle a federal investigation that it violated HIPAA privacy regulations.  Appears the people in the white coats behind the counter threw items such as pill bottles with patient information in the trash.  Woops.

This decent penalty is getting the attention of healthcare organizations and they're starting to believe that HHS is serious this time.  Many are feeling that HHS would relish the opportunity to grab headlines with major findings and penalties to prove they're getting their act together.  In addition, a new law signed by President Obama includes rules expanding HIPAA including stricter penalties and public disclosure rules.  Moreover it authorizes State Attorneys General to bring civil actions against individuals who violate HIPAA.  I'm sure this has AG's frothing at the mouth for new things to go after and this, as well as steeper fines, are grabbing the attention of healthcare security professionals.

What this means for security professionals is it's time to get real about HIPAA.  It's time to dust off the policies and procedures and focus on education of individuals around the protection of privacy information.  Also high on the list should be an assessment of data governance and access assurance: 

• Where is the private data?
• What kind of data is out there?
• Who has access to this data?
• Do the right people have the right access to the right resources and are the doing the right things with it?
• How will this be enforced and managed on an ongoing basis?

Practitioners and management must have ownership of privacy data and how this information is being protected.  It's critical that healthcare organizations take a strong look at how they're managing the lifecycle of access assurance.  This starts with defining access policy, enforcing that policy, detecting when actions are inconsistent with policy, validating when those actions violate policy and create risk, then remediating to bring things back in line.  It appears HHS is serious this time, and you don't want to be the next attention grabbing headline out there.

I'd love to hear what you think.