New York State Comptroller Publishes ePHI Security Compliance Audit Report

The news is full of reports of healthcare providers failing to implement safeguards to keep Protected Health Information (PHI) secure; but it is rare for a healthcare organization to make the headlines for implementing all of the appropriate physical, administrative and technical safeguards required by HIPAA.

However, a recent ePHI data security audit conducted by the New York Office of the State Comptroller has seen Roswell Park Cancer Institute pass with no HIPAA violations discovered. The healthcare provider should be commended for the effort it has put in to protecting the privacy of patients.

The New York Office of the State Comptroller Audit


The State of New York Office of the State Comptroller (NYOSC) conducts regular audits of state organizations, most of which are related to corporate finance. However, last week the NYOSC announced it had completed an ePHI compliance audit of Roswell Park Cancer Institute (RPCI).

The audit was conducted specifically to test the safeguards the healthcare provider had put in place to secure patient data, pursuant to Article X, Section 5 of the State Constitution, and Section 2803 of the Public Authorities Law. NYOSC is also permitted to fine organizations for violations of data security rules under the HITECH Act.

The Buffalo-based healthcare provider was audited on HIPAA Security Rule compliance, and the protections put in place to secure its Electronic Health Record system. The assessment covered all ePHI created, received, maintained, or transmitted, with the test period running from January 1, 2013 to March 6, 2015. RPCI’s EHR system contains information on approximately 4,000 patients.

HIPAA Sets Minimum Data Security Standards


RPCI was found to have implemented a robust multi-layered security system to keep data secure, had breach notification policies in place and demonstrated a fast and efficient response to security incidents during the audit period. NYOSC deemed RPCI to be compliant with HIPAA regulations, having installed all of the necessary safeguards to reach HIPAA’s minimum data security standards.

The ePHI security audit may not have uncovered any violations of the Security Rule, but it did highlight issues with data security that had not been addressed. In some cases, those security vulnerabilities had been known for some time, yet had not been resolved. HIPAA requires security vulnerabilities to be identified by a risk assessment and those risks must be addressed; however a timescale for mitigating risk is not provided.

HIPAA-Compliant, Although Some Serious Data Security Issues Discovered


NYOSC determined that RPCI had implemented all of the necessary controls to secure data, as required by the Health Insurance Portability and Accountability Act, but it did make a number of recommendations. RPCI had completed annual risk assessments; however not all of the security vulnerabilities identified had been addressed, with one potentially serious vulnerability allowed to persist for more than 12 months.

19 ‘high risk’ and 34 ‘medium risk’ vulnerabilities have been identified by RPCI since 2009. RPCI said four of the high risk items have now been cleared, a further 6 are in the process of being resolved and two have been put back to be dealt with in a future risk assessment.

Only three medium risk items have been closed, 15 are in the process of being fixed and 3 have been deferred until an unspecified date in the future.

This is not actually a violation of HIPAA Rules – Risk assessments were conducted, vulnerabilities identified, and action taken to address those vulnerabilities. In RPCI’s case, and with other HIPAA-covered entities, security vulnerabilities are prioritized, with the most serious problems dealt with first.

RPCI pointed out to auditors that under HIPAA Rules, the prioritization and deferring of security risks is permitted, and that it is not required to resolve all vulnerabilities immediately.

NYOSC auditors noted that “While this practice for prioritizing risk remediation does not violate the Security Rule, we believe it contradicts the Institute’s own policy of promptly addressing high risks, especially those that remain open over multiple periods. Of the 18 risks that the Institute had no formal plans to address as of April 2015, seven were considered high-risk items, including one related to accounting for all ePHI assets.”

As a result, NYOSC recommended steps be taken to address risks that have remained open over multiple periods, in addition to implementing new reporting mechanisms to support risk mitigation strategies. NYOSC also recommended steps be taken to improve the technical safeguards put in place and suggested physical safeguards could be improved.

Full details of the report can be found here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.