Skip to main content
A Better Partnership


Jun 2007
June 21, 2007


If the HIPAA Regulators Came Knocking . . .

Suppose you were given ten days to respond to a HIPAA audit request. Would you be ready?

Up until now, the Department of Health & Human Services' (HHS) HIPAA enforcement strategy has been focused on responding to specific complaints from individuals and working informally with covered entities--health care providers, insurers and employer-sponsored health plans--to achieve compliance. That has changed.

For the first time ever, HHS is conducting a HIPAA compliance audit of a covered entity, which happens to be a hospital in Atlanta. The audit is focusing on HIPAA security compliance, which a lot of covered entities have struggled to implement. Computerworld reports that an anonymous source has revealed a list of 42 categories of information that HHS asked the hospital to provide on 10 days' notice.

The HHS request sought policies and procedures addressing the following topics:

  • Establishing and terminating users' access to systems housing electronic patient health information (ePHI).
  • Emergency access to electronic information systems.
  • Inactive computer sessions (periods of inactivity).
  • Recording and examining activity in information systems that contain or use ePHI.
  • Risk assessments and analyses of relevant information systems that house or process ePHI data.
  • Employee violations (sanctions).
  • Electronically transmitting ePHI.
  • Preventing, detecting, containing and correcting security violations (incident reports).
  • Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
  • Creating, documenting, and reviewing exception reports or logs, providing a list of examples of security violation logging and monitoring.
  • Monitoring systems and the network, including a listing of all network perimeter devices, i.e., firewalls and routers.
  • Physical access to electronic information systems and the facility in which they are housed.
  • Establishing security access controls (what types of security access controls are currently implemented or installed in hospitals' databases that house ePHI data?).
  • Remote access activity, i.e., network infrastructure, platform, access servers, authentication and encryption software.
  • Internet usage.
  • Wireless security (transmission and usage).
  • Firewalls, routers and switches.
  • Maintenance and repairs of hardware, walls, doors and locks in sensitive areas.
  • Terminating an electronic session and encrypting and decrypting ePHI.
  • Transmitting ePHI.
  • Password and server configurations.
  • Antivirus software.
  • Network remote access.
  • Computer patch management.

In addition to these policies and procedures, HHS also sought the following information:

  • Provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
  • Provide a list of terminated employees.
  • Provide a list of all new hires.
  • Provide a list of encryption mechanisms used for ePHI.
  • Provide a list of authentication methods used to identify users authorized to access ePHI.
  • Provide a list of outsourced individuals and contractors with access to ePHI data, if applicable, and include a copy of the contract for these individuals.
  • Provide a list of transmission methods used to transmit ePHI over an electronic communications network.
  • Provide organizational charts that include names and titles for the management information system and information system security departments.
  • Provide entity-wide security program plans (e.g., System Security Plan).
  • Provide a list of all users with access to ePHI data and identify each user's access rights and privileges.
  • Provide a list of systems administrators, backup operators and users.
  • Include a list of installed antivirus servers, including their versions.
  • Provide a list of software used to manage and control access to the Internet.
  • Provide the antivirus software used for desktop and other devices, including their versions.
  • Provide a list of users with remote access capabilities.
  • Provide a list of database security requirements and settings.
  • Provide a list of all Primary Domain Controllers and servers (including Unix, Apple, Linux and Windows), and identify whether these servers are used for processing, maintaining, updating and sorting ePHI.
  • Provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.

I think a lot of people would be scrambling to respond to this kind of request in 10 days' time!

If you are a covered entity--a health care provider, an insurer, or an employer who sponsors self-funded health benefits--now is a good time to revisit your HIPAA practices to make sure that you are in compliance. You should examine your written policies to make sure that they address all of the HIPAA privacy and security requirements and that they accurately reflect your actual practices. If you have not conducted a risk analysis within the last year, it is probably time to update it--especially if you have modified your information systems. Also remember to take into account laptops, PDAs, smart cell phones, portable memory sticks and other portable devices that make it easy to access protected health information from remote locations. You should also conduct your own internal audits to determine whether your policies and procedures are being followed.

If you receive an audit request, keep in mind that the HIPAA enforcement rules require HHS to impose a civil monetary penalty if it finds a violation. You will likely want to have experienced HIPAA counsel involved in this process.

If you have questions about HIPAA privacy or security issues, please contact Norbert Kugele at 616.752.2186 or at, or any other member of Warner's HIPAA Task Force, Employee Benefits Practice Group or Health Law Group.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -