A recent ePHI data security audit completed by the New York Office of the State Comptroller has seen Roswell Park Cancer Institute pass with no HIPAA violations identified. The healthcare provider was commended for the effort it has put in to protecting the privacy of patients.
It is rare for a healthcare organization to make the headlines forputting in place all of the appropriate physical, administrative and technical safeguards required by HIPAA.
The State of New York Office of the State Comptroller (NYOSC) carries out regular audits of state organizations, most of which are related to corporate finance. However, last week the NYOSC revealed it had completed an ePHI compliance audit of Roswell Park Cancer Institute (RPCI).
The audit was conducted specifically to test thesecutiry measures the healthcare provider had put in place to secure patient data, pursuant to Article X, Section 5 of the State Constitution, and Section 2803 of the Public Authorities Law. NYOSC is also allowed to fine organizations for violations of data security rules under the HITECH Act.
The Buffalo-based healthcare supplier was audited on HIPAA Security Rule compliance, and the protections put in place to secure its Electronic Health Record system. The assessment reviewed all ePHI created, received, maintained, or transmitted, with the test duration running from January 1, 2013 to March 6, 2015. RPCI’s EHR system contains information on approximately 4,000 patients.
RPCI was found to have put in place a robust multi-layered security system to maintain data securely, had breach notification policies in place and demonstrated a fast and efficient response to security incidents during the audit period. NYOSC deemed RPCI to be compliant with HIPAA regulations, having installed all of the necessary measures to reach HIPAA’s minimum data security standards.
The ePHI security audit may not have identified any violations of the Security Rule, but it did highlight issues with data security that had not been addressed. In some cases, those security weaknesses had been known for some time, yet had not been resolved. HIPAA requires security weaknesses to be identified by a risk assessment and those risks must be addressed; however a timescale for mitigating risk is not given.
NYOSC ruled that RPCI had in place all of the necessary controls to secure data, as required by the Health Insurance Portability and Accountability Act, but it did make a number of recommendations. RPCI had completed annual risk assessments; however not all of the security vulnerabilities found had been addressed, with one potentially serious vulnerability allowed to persist for more than 12 months.
19 ‘high risk’ and 34 ‘medium risk’ vulnerabilities have been found by RPCI since 2009. RPCI said four of the high risk items have now been removed, a further 6 are in the process of being resolved and two have been put back to be dealt with in a future risk review.
Only three medium risk items have been removed, 15 are in the process of being fixed and 3 have been deferred until a later date.
This is not actually a breach of HIPAA Rules – Risk assessments were carried out, weaknesses identified, and action taken to address those vulnerabilities. In RPCI’s case, and with other HIPAA-covered bodies, security vulnerabilities are prioritized, with the most serious problems tackled first.
RPCI pointed out to auditors that under HIPAA Rules, the prioritization and deferring of security risks is allowed, and that it is not required to fix all vulnerabilities immediately.
NYOSC auditors stated that “While this practice for prioritizing risk remediation does not violate the Security Rule, we believe it contradicts the Institute’s own policy of promptly addressing high risks, especially those that remain open over multiple periods. Of the 18 risks that the Institute had no formal plans to address as of April 2015, seven were considered high-risk items, including one related to accounting for all ePHI assets.”
As a consequence, NYOSC recommended steps be taken to address risks that have remained open over multiple periods of time, in addition to putting in place new reporting mechanisms to support risk mitigation strategies. NYOSC also recommended steps be taken to improve the technical safeguards put in place and suggested physical safeguards could be improved.
Full details of the report can be downloaded here.