Health Care Alert Death, Taxes, and Security Rule Audits:

Health Care Alert
April 2008
Patricia C. Shea
K&L Gates comprises approximately
1,500 lawyers in 25 offices located in
North America, Europe and Asia, and
represents capital markets participants,
entrepreneurs, growth and middle market
companies, leading FORTUNE 100 and
FTSE 100 global corporations and public
sector entities. For more information,
please visit
Death, Taxes, and Security Rule Audits:
Three Things You Can Count On
Recently, the Centers for Medicare and Medicaid Services (CMS) issued a HIPAA Security
Rule Interview and Document Request Guidelines for Investigations checklist (the “Audit
Checklist”). The Audit Checklist notifies covered entities about the information CMS plans
to review during Security Rule audits. Perhaps more importantly, the Audit Checklist also
suggests that CMS is seriously making plans to conduct audits. Consequently, covered
entities – including employer-sponsored health plans – should review their Security Rule
compliance in anticipation of being audited.
What’s on the Audit Checklist?
The Audit Checklist identifies the covered entity management and staff positions CMS
plans to interview and the Security Rule-mandated documents CMS plans to review during
the course of the audit. Interviewees include the President, CEO, or Directors of the covered
entity; the Systems Security Officer; and the Security Incident Response Team Leader.
Documents include the covered entity’s risk assessment and the risk management plan.
CMS regards these individuals and documents as the keystone of the covered entity’s
Security Rule compliance. As such, these people and these documents must convey to CMS
and others the covered entity’s commitment to compliance with the Security Rule. A copy
of the Audit Checklist is electronically attached to the end of this Alert.
What are risk assessment and risk management plans?
Covered entities must identify the “who, what, where and how” of their use, storage, and
transmission of electronic protected health information, or EPHI. Once covered entities
know the answers to these questions, covered entities can begin to identify vulnerabilities
and threats to the EPHI that create a risk of a security breach. For example, transmitting
unencrypted EPHI creates a risk that the EPHI could be intercepted. That risk must be
prioritized according to the other risks that have been identified for each use, storage or
transmission. The result is the risk assessment document that CMS will be looking for
during the audit.
Once the risks are identified and prioritized, covered entities must plan to contain them.
Risks are contained by implementing appropriate physical, administrative, and technical
safeguards to protect the EPHI. In the above example about transmitting unencrypted EPHI,
a technical safeguard would be the use of encryption software for such transmissions,
possibly in conjunction with an administrative safeguard that mandates the use of such
encryption software. Regardless of the selected approach, the covered entity must evaluate
the alternatives and select the best one given the particular circumstances the covered
entity faces. The result of this evaluation process, which must be documented, is the risk
management plan.
Both the risk assessment and the risk management plans must be periodically reviewed
and updated, as necessary. So, performing an internal test audit would be a great way to
prepare for a CMS audit while at the same time performing a task that the Security Rule
requires. Health Care Alert
Avoiding Liability
Given today’s landscape, and despite the warnings
about failure to comply with the Security Rule, many
covered entities are still not compliant. In some cases,
covered entities’ compliance personnel may not have
the systems/technical skills to fully appreciate the
Security Rule’s requirements. In other cases, covered
entities may have taken some compliance steps but just
never finished the job.
Covered entities that have taken no compliance steps
should begin immediately because CMS will consider
whether a violation is the result of “willful neglect”
when assessing penalties. “Willful neglect” means the
“conscious, intentional failure or reckless indifference
to the obligation to comply.” 45 CFR 160.410(a). CMS
would consider willful neglect as an aggravating factor
when assessing penalties.
Time is running out. Fines and penalties for
noncompliance can be severe, up to $100 per day per
violation not to exceed $25,000 per year per violation.
42 USC § 1320d-5(a). And “[i]n the case of continuing
violation of a provision, a separate violation occurs
each day the covered entity is in violation of the
provision.” 45 CFR 160.406 (emphasis added). So,
a covered entity that has taken little or no effort to
comply with the Security Rule could be facing multiple
fines of up to $25,000 per year – for a period of up to
six years. Covered entities that think they are compliant should
nevertheless consider performing a test audit. The
results may confirm that the compliance program
works. If the results prove otherwise, covered entities
should address problems before CMS comes knocking
at the door.
K&L Gates comprises multiple affiliated partnerships: a limited liability partnership with the full name Kirkpatrick & Lockhart Preston Gates Ellis
LLP qualified in Delaware and maintaining offices throughout the U.S., in Berlin, in Beijing (Kirkpatrick & Lockhart Preston Gates Ellis LLP
Beijing Representative Office), and in Shanghai (Kirkpatrick & Lockhart Preston Gates Ellis LLP Shanghai Representative Office); a limited
liability partnership (also named Kirkpatrick & Lockhart Preston Gates Ellis LLP) incorporated in England and maintaining our London and Paris
offices; a Taiwan general partnership (Kirkpatrick & Lockhart Preston Gates Ellis) which practices from our Taipei office; and a Hong Kong
general partnership (Kirkpatrick & Lockhart Preston Gates Ellis, Solicitors) which practices from our Hong Kong office. K&L Gates maintains
appropriate registrations in the jurisdictions in which its offices are located. A list of the partners in each entity is available for inspection at
any K&L Gates office.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used
or relied upon in regard to any particular facts or circumstances without first consulting a lawyer.
Data Protection Act 1998—We may contact you from time to time with information on Kirkpatrick & Lockhart Preston Gates Ellis LLP seminars
and with our regular newsletters, which may be of interest to you. We will not provide your details to any third parties. Please e-mail if you would prefer not to receive this information.
©1996-2008 Kirkpatrick & Lockhart Preston Gates Ellis LLP. All Rights Reserved.
April 2008 | 2
Office of E-Health Standards and Services
Sample - Interview and Document Request for
HIPAA Security Onsite Investigations and Compliance Reviews
1. Personnel that may be interviewed
• President, CEO or Director
• HIPAA Compliance Officer
• Lead Systems Manager or Director
• Systems Security Officer
• Lead Network Engineer and/or individuals responsible for:
o administration of systems which store, transmit, or access Electronic
Protected Health Information (EPHI)
o administration systems networks (wired and wireless)
o monitoring of systems which store, transmit, or access EPHI
o monitoring systems networks (if different from above)
• Computer Hardware Specialist
• Disaster Recovery Specialist or person in charge of data backup
• Facility Access Control Coordinator (physical security)
• Human Resources Representative
• Director of Training
• Incident Response Team Leader
• Others as identified….
2. Documents and other information that may be requested for investigations/reviews
a. Policies and Procedures and other Evidence that Address the Following:
• Prevention, detection, containment, and correction of security violations
• Employee background checks and confidentiality agreements
• Establishing user access for new and existing employees
• List of authentication methods used to identify users authorized to access EPHI
• List of individuals and contractors with access to EPHI to include copies pertinent
business associate agreements
• List of software used to manage and control access to the Internet
• Detecting, reporting, and responding to security incidents (if not in the security
• Physical security
• Encryption and decryption of EPHI
• Mechanisms to ensure integrity of data during transmission - including portable
media transmission (i.e. laptops, cell phones, blackberries, thumb drives)
• Monitoring systems use - authorized and unauthorized
• Use of wireless networks
• Granting, approving, and monitoring systems access (for example, by level, role,
and job function)
• Sanctions for workforce members in violation of policies and procedures
governing EPHI access or use
• Termination of systems access
Office of E-Health Standards and Services
Session termination policies and procedures for inactive computer systems
Policies and procedures for emergency access to electronic information systems
Password management policies and procedures
Secure workstation use (documentation of specific guidelines for each class of
workstation (i.e., on site, laptop, and home system usage)
Disposal of media and devices containing EPHI
b. Other Documents:
• Entity-wide Security Plan
• Risk Analysis (most recent)
• Risk Management Plan (addressing risks identified in the Risk Analysis)
• Security violation monitoring reports
• Vulnerability scanning plans
o Results from most recent vulnerability scan
• Network penetration testing policy and procedure
o Results from most recent network penetration test
• List of all user accounts with access to systems which store, transmit, or access
EPHI (for active and terminated employees)
• Configuration standards to include patch management for systems which store,
transmit, or access EPHI (including workstations)
• Encryption or equivalent measures implemented on systems that store, transmit,
or access EPHI
• Organization chart to include staff members responsible for general HIPAA
compliance to include the protection of EPHI
• Examples of training courses or communications delivered to staff members to
ensure awareness and understanding of EPHI policies and procedures (security
awareness training)
• Policies and procedures governing the use of virus protection software
• Data backup procedures
• Disaster recovery plan
• Disaster recovery test plans and results
• Analysis of information systems, applications, and data groups according to their
criticality and sensitivity
• Inventory of all information systems to include network diagrams listing hardware
and software used to store, transmit or maintain EPHI
• List of all Primary Domain Controllers (PDC) and servers
• Inventory log recording the owner and movement media and devices that contain