Gathering Storm Clouds on the Audit Front

-- With Apologies to Judy Garland, Harold Arlen, and a Cast of Flying Monkeys -- 

"Auntie Em!  Auntie Em!  There's a twister a-comin'!"  Well, I won't vouch for the accuracy of the quote, but I see some pretty ugly clouds on the horizon.  A few comments from Federal officials, a job posting, and a conversation with someone whose company went through one of the random audits last year, and now I'm concerned.  Is there a HIPAA storm cellar?  You may want one.

I guess I'm not reporting anything new if I take note of the numerous public comments by HHS officials that in the first round of random audits, they found that entities weren't doing much internal auditing of system and network activity to ensure proper use of systems and data by the appropriate people.  It's also nothing new that the folks heading up the HHS Office for Civil Rights have said that enforcing the auditing requirements will be a focus of their work in the coming months.  And I'm sure I'm among thousands of people on the HHS mailing list that in the last week received a notice that HHS OCR was looking to hire people to do HIPAA privacy and security audits.  That's troubling enough.  Those two things mean that if you haven't started to follow up on the HIPAA Security Rule's system monitoring and activity review safeguards, you're leaving yourself open to fines and corrective action plans with a growing workforce dedicated to enforcement, full-time.

But then I had a nice long talk yesterday with someone whose organization was audited by HHS in a random audit last summer.  For five days, the hired guns from KPMG lived in a conference room and collected information.  Asking questions, verifying answers, verifying the verification, almost like automatons, no emotion, no human interaction, really.  The questions they asked were the ones in the HIPAA Audit Protocol (, and that's scary enough, but in many ways the audit was like a SSAE16 (formerly SAS70) SOC2 audit, in that they were looking to see how well the organization sticks to its policies, whatever they are. Out of some 300 employees, one had missed their annual required HIPAA training, because that person was out and couldn't attend despite almost heroic efforts to do so, and the auditors wrote it up as a deficiency.  They backed down after a letter from the organization's lawyer, but the point is, if you have a policy, you had better be sure you're doing what it says you do, or you will have to defend your actions, and that's just plain expensive, time consuming, and unpleasant.

-- If I Only Had a Brain -- 

So, let's take that little nugget of truth and apply that to the internal auditing issue.  Are you starting to feel a little bit of, "Oh, I haven't really been doing enough," in the pit of your stomach?  I know there are plenty of internal auditing policies out there that call for regular reviews, which is what HHS says is necessary, but has everyone been doing those reviews?  I doubt it.  It's among the most time consuming, boring, annoying tasks in security, and everyone hates it.  So, what do you do?

First of all, start doing something and document it.  Schedule regular reviews of access lists.  Schedule a regular random audit of at least one employee's computer use, and one patient's access history.  It doesn't have to be much, but you have to do something and you have to do it on a regular basis, not just when there's a complaint or some other event.  See what your policy calls for, and write the procedures, and then, most importantly, audit your auditing compliance to make sure you're doing what your policies and procedures call for!  What you can show in documentation and what the policies and procedures call for MUST match!  You can have a great auditing policy, and you may have some great audits, but if they don't match, you're going to have some explaining to do.  Ugh.

Here is everyone's homework for this week:  Look up your HIPAA security internal audit policy -- system activity reviews, access reviews,  those kinds of things.  Do you have one?  Do you have any supporting procedures that say how you, in your facility, will do those audits?  If you already have these in writing, start doing them now, and then see how well you can actually do what you're saying you do.  Be prepared to make some adjustments in your procedures so you can have a defensible position if you're audited -- and document everything!

"But I have such tight access controls that it would be nearly impossible for someone to access information improperly!"  Then your audits will be quick and easy verifications. You can't get out of it -- you have to verify.

-- Somewhere Over the Rainbow -- 

(Am I going to be getting into trouble with the copyright lawyers for all these references?)

HIPAA compliance does sometimes feel like it's somewhere over the rainbow, but what is it like back in dusty, old, black-and-white Kansas, Dorothy?  There are actually things you can do to be prepared.  First of all, get to know the HIPAA Audit Protocol.  Go to the Web site, check just the "Security" questions, select the popup to show "all", click the button to "Export to CSV", and open the file in your favorite spreadsheet.  Do some formatting so you can actually read things and use it, add some columns to show your answers, to identify your documentation, and to say what you need to do to improve things.  Go through the questions.  Once you go through this exercise, you will know your weaknesses, and you will see what you need to put time into so you can have good answers when the auditors call you.

You will probably see that you have deficiencies in your auditing activities, procedures, and documentation.  You will then have justification to spend the time you need to on getting your policies and procedures up to snuff and documented, to begin following them, and to make adjustments so your activity matches your policy and procedure.  And make sure everything is properly documented.  

And maybe if you're picked for a random audit it won't feel like the flying monkeys are out to get you.


              Copyright © 2002-2019 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us