Re: HIPAA Security Audits?

[Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>]

Hello,

I agree with Blake, the NIST 800-66 document on HIPAA Security Audit
Framework is the best available.  The OMB directed NIST to help federal
agencies to comply with such mandates as HIPAA.  NIST has released this
document in response to the direction of the OMB.  My company does
HIPAA Security Audits for universities, hospitals, medical clinics, and
even government sector clients, and we used this document to design our
HIPAA Audit Framework.

If you are doing a HIPAA Security Audit to make sure that your campus
clinic is in compliance, then I would agree that you are most likely a
covered entity that needs to consider HIPAA.  However, if you are
worried about other ePHI that you have, it is possible that whether or
not you are a covered entity is a topic for discussion.

I don't know how far you have gone in the process, but if you have not
determined whether or not you are a covered entity, the Department of
Health and Human Services has a tool on their website that you can use
to determine whether or not you are a covered entity and whether or not
you have transactions that must be HIPAA-compliant.

To quote NIST 800-66, a covered entity (as I would assume you MAY fall
under) would probably be "Covered Health Care Providers—Any provider of
medical or other health services, or supplies, who transmits any health
information in electronic form in connection with a transaction for
which HHS has adopted a standard." Which would mean that your
University Health Clinic could fall under this category.  This
statement is not necessarily in "plain English", so the definition
of "health information in electronic form in connection with a
transaction for which HHS has adopted a standard" can be determined by
using the tool on the Department of Health and Human Services website.

If you would like professional guidance, we would be happy to help out
in whatever capacity you need.  As a consultant/teacher, etc.

Thanks,

Sarah E Stevens



> This is a multi-part message in MIME format.
>
>
> We are using NIST 800-66 as our HIPAA Security audit framework.  Each
> section is broken down into elements with key activities,
descriptions, and
> sample questions.  These translate well into an audit or assessment
> scorecard for each element.  Examples are also included for those less
> familiar with some of the material.
>
> I am going to personally assess our campus clinic using assessment
> procedures that I learned and practiced in the financial sector.  Get
a good
> auditor/assessor with experience in a highly regulated sector and you
should
> be fine.  If you don't have one on staff, "renting" such an
individual and
> having one or more of your people tag along might be a good idea.
>
> I think that the answers to a lot of your questions are best decided
by
> professional discretion rather than blanket policy initially.  The
right
> professional should be able to answer those questions in the context
of your
> particular environment and document these answers.  You can then use
this
> work to help create policy addressing these issues.  Just my $0.02
>
> __________________________________
> Blake Penn, CISSP
> Information Security Officer
> University of Wisconsin-Whitewater
> (p) 262-472-5513 (f) 262-472-1285
> e-mail: pennb () uww edu
>
>
> ________________________________
>
> From: H. Morrow Long [mailto:morrow.long () YALE EDU]
> Sent: Tuesday, July 12, 2005 2:03 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] HIPAA Security Audits?
>
>
> Have any higher ed institutions decided how/if they are going to
perform
> audits of departments and/or systems to assess compliance with the
HIPAA
> Security regulations -- and if so what the audit assessment procedure
(s)
> would be? I'm also interested in who would be performing these audits,
> how often they would take place and what criteria would be used to
> determined who/what/it would be audited (primary/secondary ePHI data,
> etc.). Have you received any advice as to what is considered to be a
> reasonable policy/procedure from your legal or audit department (e.g.
> is 'system activity review' of system logs for ePHI systems by the
school
> or department considered sufficient or is -- in addition -- a random
spot
> check or regular audit of both physical and IT security of such
systems
> to be conducted? Respond in public or private -- a summary of the
> responses will be posted.
>
> - H. Morrow Long, CISSP, CISM, CEH
> University Information Security Officer
> Director -- Information Security Office
> Yale University, ITS

--