Intermountain to develop, share HIPAA best practices

Intermountain Healthcare plans to develop and share security best practices with fellow hospitals and healthcare organizations after audits uncovered holes in its overall approach to privacy protection.

The Salt Lake City-based hospital system, according to HealthcareInfoSecurity, while ahead of the security curve based on the healthcare industry's interpretation of HIPAA, was "off the mark" based on the HIPAA interpretation of the U.S. Department of Health & Human Services Office for Civil Rights, Chief Information Security Office Karl West said. Intermountain hired KPMG--the same consulting firm used by OCR to conduct audits for a 2012 HIPAA audit pilot program--to perform its audits.

The audit found that Intermountain suffered from a lack of consistency with HIPAA guidelines in security policies and procedures. For instance, the organization wasn't documenting differences in protection levels for protected health information in disparate locations. What's more, Intermountain wasn't keeping accurate records of which employees underwent HIPAA training.

"We wanted to do an assessment of our OCR-audit readiness," West told HealthcareInfoSecurity. "We looked at what was happening with fines and penalties and the failures [spotlighted] by OCR and saw something that is wrong in the healthcare industry."

In developing its best practices, the hospital system plans to work with security personnel from banking and government, among other industries, to ensure its efforts are robust.

KPMG's audits under the OCR program determined that many providers in the industry don't know which privacy regulations apply to them. An analysis of the audits found that out of 980 problems identified during 115 audits conducted last year, 289 (30 percent) were due to ignorance on the part of organizations.

"Most of these related to elements of the Rules that explicitly state what a covered entity must do to comply," the analysis said.

OCR late last month said it plans to survey the audited entities to get feedback on the overall process. Information gathered will be used to improve the audit program.

To learn more:
- here's the HealthcareInfoSecurity article