Gary Swindon, CISM, CHS-III
Chief Operating Officer, RiskWatch Inc.
Protecting and securing medical information is a major concern for private, public, and government organizations in the health-care industry. Internal auditors are equally aware of this importance: Ensuring health-care records and other sensitive information do not fall into the wrong hands is of special concern. Auditors must determine whether or not the organization has taken the necessary steps to prevent the inappropriate exposure, damage, or loss of confidential data.
Since 1996, the U.S. Health Insurance Portability and Accountability Act (HIPAA) has provided organizations in the United States with guidance regarding the proper ways to protect personal health information through the act's Privacy and Security rules. While HIPAA's Privacy Rule provides information to help organizations regulate how they use and disclose personal health information, its Security Rule lists 42 standards companies need to implement to ensure the confidentiality, integrity, and availability of digital personally identifiable health information. Although both rules should be used together, the Security Rule is of special importance to IT departments, because it identifies how organizations can protect personal health information from external and internal security threats, such as e-mail attacks and password compromises.
Internal auditors can help organizations prepare for the IT component of the HIPAA security audit by focusing management's attention on key compliance considerations, such as the organization's IT governance structure; helping IT departments identify how the Security Rule's 42 standards will affect the organization's current IT environment; and comparing each of the report's findings to IT guidance provided in the Security Rule. This will enable auditors to help organizations gain the most from their HIPAA security audits.
SECURITY RULE COMPLIANCE CONSIDERATIONS
HIPAA compliance audits should be based on three things:
- An identification of the organization's governance model. Examples of IT governance models organizations might consider using include the IT Infrastructure Library, ISACA's Control Objectives for Information and related Technology (CobiT), and the International Standards Organization's (ISO's) 17799 or 27001 standards.
- A traditional screening, sometimes called a checklist, of all controls, countermeasures, and items of interest as defined in the scope of the audit.
- An identification of the master rules or conditions required by the regulation based on the organization's type (i.e., private, nonprofit, or publicly traded).
In the case of HIPAA's Security Rule, audits should be based on the rule's provisions or standards (i.e., safeguards and outcomes specified in the body of the regulation, as opposed to industry best practices) and be supplemented by the organization's chosen governance model. Understanding the organization's IT governance model is important, because it enables auditors to determine which standards the company views as appropriate and should be used in the conduct of the audit. The IT governance model also helps auditors frame audit findings and recommendations pertaining to IT controls and identify whether these controls are effective based on HIPAA compliance requirements. If the firm has no adopted IT governance model, the use of generally accepted IT industry standards to conduct the audit would be appropriate, such as ISO's 17799 and 27001 standards, CobiT, or the National Institute of Standard and Technology's Security Self-Assessment Guide for Information Technology Systems (PDF, 1.48MB)
The findings of the audit should help to confirm or call into question the governance model chosen. Audit results that indicate a clear pattern of noncompliance with rules and regulations should warn executives that the company's governance model may not be appropriate.
Traditional screenings or checklists identify required compliance elements that will be reviewed during the audit, such as key items to be addressed, personnel to be interviewed, and new or existing policies. These checklists are important, because they enable the auditor to provide a list of the different areas that need to be improved or implemented for compliance to take place.
Finally, an identification of the master rules or conditions required by the regulation based on the organization's type is important, especially in situations where the company chooses to meet other standards as a demonstration of its good intentions. A good example of this is when a private nonprofit organization adopts IT controls outlined in Section 404 of the U.S. Sarbanes-Oxley Act of 2002, even though the company is exempt from Sarbanes-Oxley compliance. HIPAA's Security Rule identifies four minimum requirements or master conditions that all implemented IT measures and controls need to meet (refer to "HIPAA Security Rule Master Conditions" for more information).
THE AUDIT PROCESS
The Security Rule allows auditors to construct their audit plans more effectively by expressing desired outcomes under three safeguard categories — administrative, physical, and technical. Each of these safeguards is divided into a number of standards — 42 total — which are then categorized as required or addressable. These outcomes can be found in a matrix that has been incorporated into the final Security Rule and is available on the Centers for Medicare and Medicaid Services Web site. Although required standards must be implemented as outlined in the Security Rule, addressable standards can be structured by the entity to suit its particular needs as long as the outcome conforms to those found in the Security Rule. This process is outlined in Figure 1.
Figure 1: HIPAA Security Rule audit process
HIPAA security audits require the auditor to pay attention to the prevailing general conditions or stipulations that may impact the audit plan, as well as how existing controls and methods address each of the 42 security standards. In terms of IT, auditors need to review the organization's use of appropriate controls to ensure the protection of personally identifiable health information. The following list provides useful information auditors should keep in mind during Security Rule audits:
- The HIPAA Security Rule is tied directly to the HIPAA Privacy Rule and incorporates elements of the Privacy Rule through cross referencing. For instance, the requirement found in paragraph 164.530 of the Privacy Rule deals with policies and procedures, including IT, and is carried forward in the Security Rule in its requirement for appropriate policies and procedures and in the retention period for them.
- The Security Rule's scope is corporatewide and applies to the implementation of security standards in all relevant business processes, not just IT.
- The Security Rule represents a minimum set of security standards organizations must have in place for compliance. Many businesses have processes and requirements that are unique to the way they do their work. As a result, appropriate additional IT controls and procedures should be in place.
- The Privacy and Security rules incorporate the extension of adopted IT and other standards to business partners through the formal Business Associate Agreement process. This is a formal standard stated in both rules. The standards for privacy and security are found in the Privacy Rule and Security Rule, respectively.
- The standards found in the Security Rule and the company's implementation of corresponding IT and other controls must be based on the results of periodic risk assessments conducted by the company. The results of these risk assessments will help the auditor determine the effectiveness of companywide information security efforts to protect business assets.
HIPPA SECURITY RULE MASTER CONDITIONS
The Security Rule outlines four master conditions or minimum requirements that apply to business controls and processes used to address the rule's 42 standards. These minimum requirements state that all selected controls must be:
- Cost effective. A company should not spend more for the control's implementation than the probable value of the information or process it is designed to safeguard.
- Within the technical capability of the firm. The company must be able to maintain and enforce the controls they choose without having to rely on an outside party. For instance, although a company can outsource its IT functions, it must be able to create, maintain, and enforce all IT controls if they are brought back in-house, such as access and authorization controls and audit log evaluations.
- Within the resource capability of the enterprise. The business should have the necessary IT resources to monitor and manage each control throughout the year.
- Suitable when weighed against their desired results. General IT, compensating, or alternative controls should correspond directly to the standard in question. For example, the requirement to be able to back up and restore patient data should rely on access controls, data verification and integrity controls, and storage requirements, among others.
During Security Rule compliance reviews, internal auditors need to identify how companywide IT measures and controls meet each of the four requirements.
EXAMINING THE REPORT'S FINDINGS
Prior to releasing audit findings, internal auditors should be able to answer questions regarding the report's IT recommendations. To do this, auditors can compare each of the report's findings to IT guidance provided in the Security Rule. The following questions can help auditors identify how current IT controls compare to IT guidance provided in the Security Rule, as well as determine whether existing controls meet compliance requirements:
- Given the IT governance model adopted by the firm, does the chosen IT control match the company's intention? If so, does it fit logically?
- Does the chosen IT control meet the general and master conditions outlined in the Security Rule? For example, does it meet the cost, capability, resource, and suitability requirement in the rule?
- Given the apparent investment level in the IT control, is the investment appropriate to accomplish the goal?
- As with any audit, are the IT controls documented adequately?
- Do IT controls tie to a stated security standard outlined in the Security Rule or to an identified business need above and beyond the rule's standards?
- Has the firm identified and documented addressable and required IT controls properly, including its rationale for the choice of action?
- For any given IT control, is there an obvious impact regarding the viability of the security system employed?
- Do audit findings represent a material condition or weakness (e.g. not being able to recognize revenue correctly and consistently or ensuring that pharmacy prescriptions are filled in a timely manner)? If so, is the finding material in its potential impact on financial systems, patient care safety standards, etc.?
- Do chosen IT controls support the company's risk posture? Auditors should look to the IT governance model for direction or to accepted industry standards if no governance model has been identified.
- Do the IT standards and controls make sense in the context of the company's choices as opposed to IT best practices?
LEVERAGING AUDIT RECOMMENDATIONS
Although the information above focuses primarily on the IT aspect of Security Rule compliance, these basic recommendations can be used for overall HIPAA compliance audits. These recommendations also can be applied to other regulations, particularly Sarbanes-Oxley and the U.S. Graham-Leach-Bliley Act (GLBA) of 1999. For instance, HIPAA, Sarbanes-Oxley, and GLBA share many common requirements, such as the need for companies to conduct regular risk assessments or the need to achieve cost effectiveness and stay within the company's IT capability. Furthermore, the blending of implemented audit compliance requirements from different regulations and the organization's adopted governance model can highlight the potential need for changes in the way the company views IT risks and uses IT resources.
For more information about HIPAA, visit:
- The U.S. Department of Health and Human Services' Web site: www.hhs.gov/ocr/hipaa/.
- The U.S. National Institute for Standards and Technology's Security Rule Resource Guide: http://csrc .nist.gov/publications/nistpubs/800-66/SP800-66.pdf. (PDF, 1.68KB)
- The HIPAA Security Rule Web page located on the U.S. Centers for Medicare and Medicaid Services Web site: www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf. (PDF, 309KB).