Newsletters Welcome, Guest Log In | Register
Blogs:

Lora Bentley

Governance and Risk

From regulatory compliance to corporate governance structure, everyone is involved

About this Blogger RSS

< Previous | Next >

Subscribe

Sign up now and get the best business technology insights direct to your inbox.

  • Daily Edge
  • CTO Edge Update
  • Business Tools & Templates
  • Aligning IT & Business Goals
  • Maximizing IT Investments

1

You've Tackled Sarbox Audits; Are You Ready for HIPAA?

Posted by Lora Bentley Jun 19, 2007 2:00:18 PM

The concept of an audit is nothing new to companies that are subject to Sarbanes-Oxley, but it may be relatively new to organizations subject to the Health Insurance Portability and Accountability Act -- because until now, the Department of Health and Human Services has not conducted an offical audit for HIPAA compliance. According to Computerworld, Piedmont Hospital in Atlanta, Ga., is currently undergoing the first one, and it's causing others in the health care industry to double check their own compliance status.

 

In a recent IT Business Edge interview, health care attorney -- and HIPAA blogger -- Jeffrey P. Drummond explained that the reaction of the industry to the Piedmont audit will help determine what HHS does in terms of future audits:

...[T]he Piedmont audit, even if it comes out clear, is already shaking some folks into action. If OCR [HHS Office of Civil Rights] perceives the industry as reacting to the audit by reinvigorating efforts at HIPAA compliance (particularly Security, which never got the attention it deserved from folks who got worn out chasing after the Privacy regulations), the sleepy enforcement environment will continue. If they think the audit was shrugged off, they'll find some other folks to pick on.

How do you prepare for the inevitable HIPAA audit?

Most of the privacy portions could be implemented pretty much right out of the box, but some areas (such as employee access to information) should be readdressed occasionally... Security is an ongoing chore though, and HIPAA compliance folks and IT folks should be working together regularly to reassess risks and weaknesses and implement appropriate responses, particularly considering changes in the security environment...

 

Oh, and document the crap out of everything. For example, there are some components of the Security Rule where action is not required, merely "addressable." In those cases, if you determine you don't need to take any action, you still need to document the fact that you considered the issue and reached the determination that action was not required.

Related Content

Add a comment Leave a comment on this blog post.
Jun 20, 2007 8:37 PM Guest Jeff Drummond  says:

News continues to hop on the Piedmont audit.  I don't know if this report of the 42 questions allegedly in the audit is true, but it rings true -- if you can't answer these questions, you haven't done HIPAA Security, that's for sure.  Here' a link to the story: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025253&intsrc=hm_list
Reply

Related Content

Browse

Topic: External and Internal Audits

Both internal and external audits of IT and regulatory compliance processes are often required

Blog: Learning the Many Facets of Compliance

Article: What's Your Compliance IQ?

White Paper: Audit, Control and Automate Resource Provisioning for Ongoing Compliance and Simplified Management

Related Topics

HIPAA, Privacy

Featured White Papers

Browse

Software Forum: Information On Demand Virtual Experience

This interactive virtual forum presents leading IT experts providing the insights you need to turn your information into a strategic driver for innovation, business optimization and competitive differentiation.

Performance Under Pressure: The State of Enterprise Web Application Quality and Availability

This research study finds that Web application issues are an all-too-common problem and examines these Web-based enterprise application issues from two perspectives: that of an online customer and that of a site manager.

Resource Centers

Browse

Cost Cutting through Server Consolidation

Products, management tools, and industry insights that enhance the value of virtualization for your business.

Featured Whitepapers

The Business Case for Virtualization

Power Supply Solutions

Comprehensive power protection solutions.

Network Optimization

Network management tools and tips to increase network speed and efficiency, regardless of office location.

Featured Whitepapers

Extreme Savings: Cutting Costs with WAN Optimization

Greening IT with Server Consolidation

Learn how virtualization reduces the TCO of managing your date, while contributing towards your sustainability efforts.

Featured Whitepapers

Faster, Cheaper and Easier to Maintain: Can You Afford Not to Upgrade Your Servers to Today's Advanced, Energy-Efficient Technologies?

Premium Tools

Browse

All About Reducing Your IT Costs

Looking to cut costs? Use this research-driven Excel tool to pinpoint which IT cost reduction measures best fit your needs.

Learn more >

Windows 7 Upgrade Project Kit

Moving to Windows 7? The Windows 7 Upgrade Project Kit is the ideal support tool for managing all phases of an organizational upgrade to Windows 7. The tools and templates in this kit will help you develop a strategy and map out the implementation tactics which link your Windows 7 deployment to your company's bottom line.

Learn more >