OIG’s Review of CMS HIPAA Security Rule

Oversight – What a Scathing Report Means

For You
The OIG (the Office of Inspector General – the audit arm of the Department of Health& Human Services)
recently released their report on the CMS’s (Centers for Medicare & Medicaid Services) oversight and
enforcement regarding hospitals’ HIPAA Security Rule implementation. In the scathing report* the OIG clearly
characterizes the current regulatory compliance efforts by the CMS as lax. While the report is full of interesting
statistics about the extent that the hospitals it audited as part of the analysis were lacking in security, I
thought, it made sense to discuss the inevitable outcome for hospitals and frankly any organization covered by
the HIPAA Security Rule.

What the Report Says About the Future

1. Expect post-breach due-diligence

In rock climbing, we had a saying: it’s not the fall that kills you, its the landing. Well that certainly rings true
with a data breach. If you’ve read the news lately, you’re likely aware of the scrutiny into organizations that
have experienced a breach. Not only does the true financial cost and liability impact become clear in the weeks
and months following a breach, but the entire risk management strategy of the organization comes under a
microscope. And for those organizations that fall within HIPAA Security Rule compliance requirements, that is
echoed loud and clear in this report, in which it is stated that the CMS:

“performs compliance reviews of covered entities in response to breaches of unsecured protected

health information affecting 500 or more individuals”.

So, while many healthcare CIOs have never been through a compliance audit but may expect one in the event
of an ePHI data breach – they can be assured of an audit after this report. And when the microscope comes
out, here are the kinds of questions the CMS will be asking:

 Sure you have security controls, but are they actually working?
 Does executive management have a clear understanding of their risk profile?
 Does your healthcare organization have a structured and systematic approach to risk management?
 Are you aware of, and do you follow-up on, deficiencies in your security program?

So if your security is lax, the effectiveness of your program will become clear in the post breach analysis.

WEB PHONE EMAIL

WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

2. Expect Pro-Active Audits

While it may not be surprising to CIOs to expect some regulatory due-diligence into their information security
programs after a breach, it may be more of a surprise that periodic or even annual regulatory security audits
by the CMS are inevitable. Not only are state Attorneys General getting trained by the federal government on
HIPAA enforcement, but the OIG is clearly indicating that pro-active CMS auditing is what it would like to see.
Healthcare is unique in that, while it has clear regulatory guidance on security (the HIPAA Security Rule), it
has not been the subject to consistent oversight in the form of audits. In other industries (financial services for
example) CIOs have for years come to expect annual onsite visits from the regulators in which their security
programs and controls are reviewed. Here are some of the OIG statements showing the current state of affairs
(lax auditing and minimal oversight) is not appropriate moving forward:

INSUFFICIENT OVERSIGHT AND ENFORCEMENT ACTIONS

CMS’s oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals,
effectively implemented the Security Rule.

Here is another telling indicator from the report:

Although OCR stated that it maintains a process for initiating covered entity compliance reviews in the absence
of complaints, it provided no evidence that it had actually done so. The only reviews OCR mentioned were
related to our hospital audits. In the absence of evidence of a more expansive review process, we encourage
OCR to continue the compliance review process begun by CMS in 2009.

So while it’s clear that not only should healthcare organizations expect pro-active audits from the State
Attorneys General, but at the federal level as well, from the CMS.

3. Expect the CMS to take a broad view of security

At Redspin, we’ve always been a fan of taking a practical view of security and compliance. It looks like the
regulatory environment is poised to take a similar view.

RECOMMENDATIONS

We recommend that OCR continue the compliance review process that CMS began in 2009 and implement
procedures for conducting compliance reviews to ensure that Security Rule controls are in place and operating
as intended to protect ePHI at covered entities.

From a practicality standpoint this is a good thing. However, for those entities that are deploying controls just
because they have to, rather than really putting thought into the deployment to ensure the controls are
working as intended will find that the existence of the control itself does not free them from regulatory liability.

WEB PHONE EMAIL

WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

Redspin Recommendations:

 Don’t just treat a HIPAA Security Risk Analysis like a compliance check-the-box item on your agenda.
Consider the fact that a meaningful HIPAA Security Risk Analysis is the foundation for effective risk
management and leverage the effort to build a robust and systematic information security program
that will maximize HIPAA Security Rule compliance while minimizing risk of ePHI data breach.
 Understand that by focusing on the intent of the HIPAA Security Rule you can achieve both security
and compliance. However, the inverse is not true : focusing on compliance does not necessarily buy
you security in the risk management sense of the word – in fact in the OIG’s opinion, it won’t even buy
you compliance.
 Always remember it’s not the existence of a control that matters, rather it’s the effectiveness.

Conclusion

While additional oversight may seem daunting, the good news is that hospitals and other healthcare
organizations can get lasting practical and compliance value from doing an annual HIPAA Security Risk
Analysis.

 It can be used to meet the meaningful use core objective of safeguarding ePHI.
 it’s the foundation of a robust information security program.
 It can be used to provide executive management visibility into their risk profile and overall IT
environment.
 It can lower your overall risk profile, by identifying and prioritizing critical risk.
 In the event of a CMS audit – it will provide evidence that your organization has a robust security
foundation and systematic information security program.

* Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and
Accountability Act of 1996 Oversight (A-04-08-05069)

WEB PHONE EMAIL

WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM