When I was asked earlier this year to write about the lessons from the audits performed under the Office for Civil Rights new audit program, I sat down and began to write. Having discussed this topic many times, it was fairly easy to get started, but as I did I realized that the tone of the piece seemed overly negative and therefore not a fair and particularly balanced assessment of what we've learned. I refer of course to the difference between the results of last year's audits, and my experience in this industry over the last thirteen years.
Healthcare has made significant strides in privacy and security in the last decade. Many healthcare organizations, some I watched personally, have built solid information security programs and experienced the benefits from doing so. However, for an industry that does amazing things with technology and information every day and has as one of its core principles "to do no harm," which encompasses patient privacy, the results from last years audits are, in a word, unacceptable. To be clear, when I say unacceptable I don't simply mean we failed but mean that the results are inconsistent with who we are as an industry and what we stand for. There are many lessons that can be gleaned from these audits, but probably the most obvious is that as an industry we still have ways to go.
So let's begin by summarizing some of the lessons that seem to jump out upon first review of the results. Overall the results were poor. Almost 90 percnet of the organizations audited had multiple findings and deficiencies with the rules, identified along with 10 percentof the organizations audited being totally unprepared. Larger organizations fared better with their audits than smaller organizations. Small organizations, Category 3 and 4 entities, which are comprised of physician practices, small clinics, rural hospitals, critical access hospitals, etc., accounted for more than 65 percent of the total findings for covered entities.
Organizations performed better against the Privacy Rule than they did the Security Rule. Security accounted for about 30 percent of the measurable criteria yet represented 60 percent of the total findings. To compare these two is really an apples to oranges comparison. Security represents a much larger challenge to organizations to address from a resources, technology and people perspective. In fact when you look more closely at some of the shortfalls in performance against the Security Rule it quickly becomes obvious that a lack of resources, technology and people contributed significantly to the audit outcomes.
Last, but not least, in the general category, if you aren't expecting to be audited, think again. Audited organizations included covered entities of all sizes and shapes: hospitals, physician practices, dental practices, pharmacies, laboratories, long-term care, insurers, health plans and clearinghouses. The lesson here is: get prepared, you can be audited.
Privacy
Privacy outcomes, unlike security, did not seem to present any real glaring trends. Generally organizations had policies and procedures covering privacy. Shortfalls noted were more a matter of disciplined performance in terms of follow through or the misapplication of the rules around authorization for disclosure and minimal necessary. The latter is still pending further clarification through guidance but is expected later this year.
Privacy compliance benefits from being largely related to a set of processes that are well documented and from the fact that it is fairly straight forward. Unlike security, where there are many "addressable" requirements and where compliance in some cases relies heavily on the implementation of some technology, privacy requirements center on individuals using and applying various rules and procedures for uses and disclosures. Applying the principle of least privilege and minimal necessary are important when dealing with business associates. Training of workforce members, discipline and documentation of actions and an adherence to the principle of least privilege are all important and the keys to a successful audit outcome.
Security
Security is where the majority of the lessons were learned. There were some overarching lessons gleaned that related directly to the fact that security, as mentioned above, relies in part on the acquisition of technology or additional resources to successfully achieve compliance. An example of this was auditing and monitoring system and user activity. The expectation, and the reality for most environments, is that you need to implement log-monitoring technology to accomplish this requirement effectively. Many have not done this and were cited for ineffective monitoring. There were also several cases where organizations had implemented log-monitoring technology, yet they were cited for failure to meet the requirement for not utilizing the capabilities of the technology. In most cases it was attributed to not having sufficient resources to process the information provided.
Addressable specifications presented another challenge for audited entities as it related to selecting reasonable alternatives and documenting those decisions. Organizations that treated all specifications as if they were required had better success in meeting the criteria for reasonableness in selecting alternative measures for addressable specifications. Part of the problem here is that some organizations still believe that addressable means "optional," which it does not. Additionally, the requirement to conduct a risk analysis as described in OCR's guidance continued to plague organizations. Forty-seven of 59 providers, 20 of 35 health plans and two of seven clearinghouses failed to produce complete and accurate risk assessments. If not understood before, the take away here for everyone is that the OCR expects organizations to periodically conduct a risk analysis that conforms to the approach described in the NIST 800-30. Organizations were also surprised to find auditors requesting contingency planning for systems other than those considered core or top tier. The rule is clear; backups and contingency planning is required for all systems that store electronic protected health information. The lesson here is simple: Address them all.
Another trend seen through the audits was in regards to access management. Access management is all about provisioning users based on roles, tracking and managing their accesses and privileges throughout their tenure, and removing their access upon termination. Generally we learned that organizations have consistent processes for provisioning users and for removing access upon termination, but fall short when managing the individual's accesses along the way. We learned that accountability is an issue. Beginning with not having accurate inventories of systems with protected health information, to lax procedures for tracking where assets are located, to a lack of documented records for destruction of both devices and media. We also learned that consistency in following established procedures, such as the security incident response, is important to delivering consistent results.
More lessons
OCR's audits provided a broad based opportunity to get a glimpse into the industry's performance against the Privacy, Security and Breach Notification Rules. For many, it represented a much more thorough review of their organizational compliance practices than they were expecting or had previously experienced, particularly as it related to the level of scrutiny and documentation required to demonstrate compliance. At the same time, for some it provided an opportunity to demonstrate the strength of their program. Eleven percent of those audited completed their audits with no deficiencies.
For all the lessons learned from this first round of audits, there are also several questions raised. For instance, the number one answer auditors received for non-compliance was that the entity was unaware of the requirement. This seems hard to believe given that the rules have been in place for at least a decade, and it begs the question if it is accurate, how is this possible? More importantly what does the federal government need to do to raise awareness? Probably just as troubling though were some of the other reasons given for the lack of compliance, such as lack of resources, lack of personnel and lack of priority. While for larger entities addressing this may be as simple as revising priorities, for smaller entities this might prove to be a real challenge. Again, the question is what can or will be done to assist these organizations?
More to come
Audits are due to resume sometime in the not too distant future after OCR has a chance to update its processes, the protocol and incorporate business associates. OCR is supposed to add best practices gleaned from the audits to their website. That should provide a resource for the industry to use and help organizations improve compliance and audit readiness. I'm also sure we'll learn more lessons from future audits and hopefully we'll see a marked improvement in results as well.
Mac McMillan, FHIMSS, CISM, is co-founder and CEO of CynergisTek, Inc., a firm specializing in the areas of information security and regulatory compliance in healthcare. He is the current chair of the HIMSS Privacy & Security Policy Task Force. Mr. McMillan brings over 30 years of combined intelligence, security countermeasures and consulting experience to his position from both government and private sector positions.
More Article on Audits:
HIPAA Compliance: What Providers Should Know About HITECH Act Mandatory Audits
Handle Hospital Data Breaches With Care: 5 Issues to Consider