Continuing the thread from the last blog where I discussed the first HIPAA network consideration, ‘HIPAA Audits will continue’, in this blog I’ll discuss the second network consideration on the list below.  Remember, The HIPAA Omnibus Final Rule, released January 2013, introduced some significant changes and updates.  The 2012 HIPAA audits concluded with some initial findings released from The Department of Health and Human Services (HHS) Office of Civil Rights (OCR).  These two events may impact how you govern your internal organization and network for patient privacy and protection of PHI.  The deadline for compliance with the updates to the HIPAA Omnibus Final Rule is September 23, 2013.

In summary, below are the nine HIPAA network considerations:

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

The HIPAA Audit Protocol and NIST 800-66 are your best preparation

OCR has publicly posted the HIPAA Audit Program Protocol used during the 2012 HIPAA audits, so you can prepare and build/improve your HIPAA program.  It is pre-Omnibus, but still very applicable, and I personally expect that OCR will keep most of the existing items and add specific Omnibus Final Rule  requirements to the existing Audit Program Protocol.

There are three sections to this Audit Program Protocol―Privacy, Security, and Breach.  For IT Security, the primary area to review and learn is the Security Protocol, which has 78 Key Activities, the Performance Criteria for each activity, and Audit procedure for each Key Activity.

During the 2012 HIPAA audits, the results showed that the Security Rule accounted for 28% of the audit questions, yet accounted for 60% of the findings and observations.  Leon Rodriquez, head of OCR, stated during the NST HIPAA Security 2013 webcast in May that ALL of the Security findings could have been met using the implementation specifications (required and addressable) in the HIPAA Security Rule.  Often, the technology exists to satisfy a requirement, but the documentation doesn’t exist or is not sufficient to meet the requirement.

Because HIPAA utilizes a self-assessment model, the Audit Program Protocol can give good guidance on how to self-assess, knowing that if an audit does occur at your organization, you know what to expect and are prepared to effectively respond.

The NIST 800-66 document ‘Introductory Guide to Implementing HIPAA Security Rule’ is consistent with and supports the HIPAA Audit Protocol.  The NIST 800-66 document also includes questions that a knowledgeable  IT security group can answer with recommendations that those questions and answers be documented.  These questions are not just check list items for an audit or HIPAA, but are questions regarding securing information and utilizing security best practices and methodologies.  Using this guide should help improve your network security posture throughout your network and apply to other sensitive and critical information.

Recommendation: Identify someone on the network security team to become the technical lead on the HIPAA Audit Protocol and NIST 800-66.

Cisco’s Compliance Solutions teams focus on helping customers simplify meeting mandated compliance requirements. To learn more about Cisco® compliance solutions, please visit www.cisco.com/go/compliance


Terri Quinn

Security Solutions Manager

Security Technology Group