The HIPAA Omnibus Final Rule, released January 2013, introduced some significant changes and updates.  The 2012 HIPAA audits, performed by KPMG, concluded with some initial findings released by the Department of Health and Human Services (HHS) Office of Civil Rights, OCR.  These two events may impact how you govern your internal organization and network for patient privacy and protection of PHI.

Here are nine network considerations to address in the new HIPAA landscape.  I will discuss the first consideration in this blog.

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

HIPAA Audits will continue

The 2012 HIPAA audits concluded, and OCR will receive the evaluation results and recommendations from PWC in September 2013. Initial evaluation of these audits show that most covered entities did not maintain a continuous HIPAA program, which is not surprising as healthcare is the top industry for most data breaches. OCR has stated that audits will continue in late 2013 or early 2014, and that civil money penalties will help to fund and drive additional HIPAA audits.  OCR does not want to make audits appear as punitive, but enforcement needs to be stronger and more frequent in order to improve patient privacy and PHI protection in the healthcare industry.  No industry leader wants to be at the top of the ‘most breached industries’ list.

The deadline for compliance with the updates to the HIPAA Omnibus Final Rule is September 23, 2013.  This next round of audits will include business associates, whereas the 2012 audits included covered entities only.  The 2012 audits showed that the non-compliance of the Security Rule accounted for 60% of the findings and observations (from the NIST HIPAA Security 2013 webcast in May 2013), even though only 28% of the audit questions were based on the Security Rule.

For IT network and security groups, be aware that the Security Rule will be an area of focus with the next round of HIPAA audits.  Understanding what you have in place today can help you prepare for an audit and perform reasonable and appropriate protection of your PHI.

Recommendation: Update relevant departments about the new HIPAA timelines and changes, so you can start to prepare and build a strategy for improving the protection of PHI.

Cisco’s Compliance Solutions teams focus on helping customers simplify meeting mandated compliance requirements. To learn more about Cisco® compliance solutions, please visit http://www.cisco.com/go/compliance


Terri Quinn

Security Solutions Manager

Security Technology Group