The HIPAA Omnibus Final Rule is now in effect and audits will continue in 2014. At the HIMSS Privacy and Security Forum in Boston on Sept. 23, Leon Rodriguez, director of the Department of Health and Human Services’ Office for Civil Rights said to those who are wondering how the new rule will be enforced: “You’ll see a picture of where we’ll spend our energies” based on previous enforcement actions.  Enforcement actions to date have focused on cases involving major security failures, where a breach incident led to investigations that revealed larger systemic issues, Rodriguez said.

On our list of 9 HIPAA Network Considerations, it is timely that our topic in this blog is on #7, Security best practices are essential.

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

The general rule for the HIPAA Security Rule is to ensure the confidentiality, integrity, and availability of ePHI that is created, received, maintained, or transmitted [45 CFR 164.306(a)].  Protect against threats to PHI.  That relates directly to network security best practices.  In the 2012 HIPAA audits, security had more than its share of findings and observations, accounting for 60% of the HIPAA audit findings and observations, even though the Security Rule accounted for only 28% of the audit questions.  At the NIST OCR Conference in May, OCR presented the summary below.

7 of 9

Security best practices are critical to protecting ePHI and to achieving HIPAA compliance and passing audits.  Even though the HIPAA Security Rule doesn’t explicitly state specific technology that should be used to meet the HIPAA Security Rule implementation specifications, security best practices rely upon a few well known and understood foundations: strong passwords, user authentication, firewalls, VPN encryption, detection technologies, and monitoring/alerting management systems.

Those security best practices your network and security teams have in place most likely are already protecting some of your PHI.  Those same practices can be used to help you address HIPAA compliance as well.  Rely on what you have and supplement what you need based upon your findings from your risk assessment and knowledge of where your ePHI resides in your network.  But rely on security best practices, not just on compliance requirements, to drive more effective protection of your PHI and other critical data.

Recommendation: Review the security best practices your teams have in place that can be used for protection of PHI and HIPAA compliance, and utilize your risk assessment to build upon your existing security practices.

Cisco’s Compliance Solutions teams focus on helping customers simplify meeting mandated compliance requirements. To learn more about Cisco® compliance solutions, please visit http://www.cisco.com/go/compliance


Terri Quinn

Security Solutions Manager

Security Technology Group