Make healthcare data security a 2012 priority

It's 2012 and a new year, but I'm guessing your resolutions did not include learning more about privacy or data security. That's okay. Mine didn't either. That said, I am very excited about this new opportunity to talk about security with this community, and I hope you'll find it informative and useful. I am very open to your comments and insights and am looking forward to continuing the conversation. I will try to mix it up between theory, practical approaches, resources available, regulatory and legal updates, and lessons learned from others. Along the way if there is a particular topic you want to discuss, please send it in or note it in the comments area.

I should probably start with a brief introduction. My bio appears below so I won't bother with covering that. Instead I'd like to provide some relevant background that hopefully will help you appreciate my understanding of healthcare.

For the last 12 years, I've consulted on data security and privacy to healthcare organizations large and small. I've also been very involved with various healthcare professional associations, but probably most meaningful here would be HIMSS, MGMA and ACPE. My work with HIMSS has given me the opportunity to participate on the front lines with others on privacy and security issues affecting healthcare. With MGMA, I was part of the joint collaborative that created the Small Provider HIPAA Security Toolkit, which is a free resource for physicians and physician practices. I was also fortunate this past summer to be a part of the Capstone Course faculty for the new ACPE health IT certification, where I taught a course specifically designed for physicians in leadership positions, physicians headed to CMIO roles, or physicians who just wanted a better understanding of health IT. Over the past decade, I've been extremely fortunate to work with many physicians in various different roles.

So there's a lot to talk about regarding privacy and data security, and I'd like to challenge everyone to think about an additional New Years resolution to make this an active and useful discussion. First up, I thought we could discuss the Office of Civil Rights (OCR)'s new random audit program launched in December. Why is that relevant? The first 20 sites selected for audit included three physician practices.

This program, which is part of OCR's responsibility under the HITECH Act, requires random compliance-based audits of entities covered by the HIPAA privacy and security rules. To accomplish these audits, OCR has contracted with KPMG to conduct 150 audits between now and Dec. 31, 2012. And as I mentioned above, the initial 20 sites selected included three physician practices. The process has been detailed fairly well in other periodicals, but here it is just in case:

It all starts with a letter from OCR that alerts the organization that they have been selected for an audit. The letter goes on to provide background and then requests a significant amount of information be sent to the audit team within 10 calendar days from the date of the letter. The list of the items requested includes things like copies of security or risk assessment, policies and procedures, network diagrams, organization charts, etc. In most cases the organization does not receive the letter until three or four days after being mailed, which means they have fewer than 10 days to collect and forward the information.

This is a tight turnaround, but it's not the time to overreact and try to create or develop certain items if they don't exist. Simply collect and produce what you do have and then begin the process of identifying your plan for remediating gaps. Shortly after receiving this letter, the audit team will also schedule a conference call to explain the rest of the process. The onsite audit can be anytime within the next 30 to 90 days and again the organization will be given short notice, possibly no more than five days, before the team arrives. Depending on size and complexity of the organization, the audit team will include three to five members and can remain onsite for up to six to 10 days.

 When the audit is complete, the team will provide an informal out brief. This will be your first real indicator of how well you've performed, and it provides another opportunity for you to be thinking about remediation. The audit team will then forward its report to the audited entity for comment, and the audited entity has 10 days to prepare its response -- this is another good reason to be organized and to start thinking about remediation as early on as possible. Once the audit team receives your comments back, both the report and the response are then forwarded to HHS/OCR. OCR will review the report along with the covered entity's response, and will then communicate next steps.

Next time we'll talk about ways to prepare for these audits.

Michael "Mac" McMillan is co-founder and CEO of CynergisTek, Inc., a firm specializing in information security and regulatory compliance in the healthcare sector. Mac has more than 30 years of combined intelligence, risk management and security consulting experience. He has worked in the healthcare industry since his retirement from the federal government in 2000. He is the former chair of the HIMSS Information Systems Security Working Group. In 2009 he joined the HIMSS Privacy & Security Steering Committee and was selected as its chair in 2010. He contributes frequently to healthcare periodicals and was a contributing author and editor for the HIMSS book Information Security in Healthcare: Managing Risk.


Add new comment