Getting your IT house in order, part 4

How to get legal and stay legal: continuous audit readiness

Getting Your IT House in Order Part 4

In the second installment of this series, we dealt with how to implement an EMR system — or getting it up and running. In part three, we turned to the issue of keeping it running. For Ocala Eye, this task involved more than one staff position. The task also required us to engage outside services to backfill for competencies and experience that our director lacked, and to create a redundancy in key management functions.

Here, I discuss the skills required for IT management and the additional priorities beyond the “care and feeding” of an EMR.

Once upon a time, there was a successful but IT-naïve ophthalmic practice, whose leaders thought their HIPAA security measures had been fully researched, installed and hence impregnable. Staff members would glowingly reassure anyone that the practice’s HIPAA house was in order … until they were asked questions, like the name of their HIPAA security officer … or the number of disaster recovery tests the practice ran per year … or to see the HIPAA risk analysis or proof of workforce training and awareness.

While the practice had tried hard to attain and maintain compliance, it fell short because its major deficits — no IT management system and no HIPAA compliance management system — were its Achilles’ heels. Happily, they engaged the services of a competent consulting firm to review its efforts and to make recommendations. What follows is the story of how this unfolded.

A little agita

The path to true HIPAA compliance started when the practice racked up complaints from staff members in all of its departments: long outages that invited audits, trouble tickets that affected patient flow, billing complaints that impacted income, personnel tiffs that soured the work day because staff didn’t understand what a system was, nor how one process affected another process.

So, the practice partners did the only thing they could: They sought a second opinion. They hired an outside consultancy to perform discovery of their current state of IT management and HIPAA security compliance management. A central assumption was that a tightly-managed IT services portfolio would make HIPAA security compliance easier and less costly because IT management processes would naturally mitigate risks. But this was wrong. Because staff didn’t understand what defined a portfolio, let alone a system, the new consultants would need to make clear communication another important concern.

A little IT-speak

  1. A system is a collection of processes that informs other processes; it dictates how they are executed and under what conditions.
  2. A collection of projects is called a portfolio. If you have more than three active IT projects, you have a portfolio. Proper portfolio management is a skill that is definitely worth acquiring.

Another wrong assumption: There is nothing natural about reducing risk.

How efficient was anything related to IT management and HIPAA compliance in the practice?

Quick answer: They were in the “red” on both.

An important response

The partners wanted to drill down. They asked the consultancy to assess the following:

  1. The HIPAA compliance management system
  2. The Enterprise IT management system
  3. The overall performance of the current systems

Project scope

The scope of this project covers discovery, assessment and high-level corrective-action recommendations for two IT management systems. The findings report will focus on the status of and performance of each system listed below.

System one: Compliance management system for HIPAA Security rule

System two: Performance management system for enterprise IT

Assessment is reached via documentation reviews, technical analysis, observation and interviews conducted via multiple remote sessions and two on-site visits (initial review and findings presentation to the board of directors).

Phase one was discovery and data collection while in phase two the consultancy would present findings, make recommendations and prioritize remediation and corrective action projects.

What follows are examples of activities a consultancy might perform in a similar engagement. We have provided this in the form of a letter of engagement so the reader can experience the decision-making process the partners went through. (See sidebar on next page.)

It is always good to clarify any assumptions that either client or consultant might have. It is vital to describe, as much as possible, the scope of what will be done and how much it will cost.

After clarifying assumptions and scope, the client should hear details about the work to be performed. Below is an example.

The key takeaway from this section is acting, not reacting. The presence or absence of management processes is one thing, how well they are designed and executed are another. How often do you review your planned vs. actual when it comes to process execution, process enforcement and process management?

With discovery over, phase two begins. In phase two, the practice will learn the consultant’s findings, recommendations and the prioritization of remediation and corrective action projects.

Letter of engagement for enterprise IT and HIPAA security management systems review

Current situation assumption: Insufficient and/or ineffective process control by two IT management systems are putting practice assets at risk

The underperformance of two mission-critical IT management systems may be putting the practice’s financial, operational and reputation assets at risk. IT risks exceed partners’ tolerance levels; board of directors seeks assessment of and options for IT performance management, as relates to:

System one: Compliance management system for HIPAA Security Rule. Current scope does not include review of HIPAA Privacy Rule compliance management system

System two: Performance management system for enterprise IT. Current scope includes IT management across all locations

What we know so far:

  • Some anecdotal evidence of ad hoc efforts, but these are mostly informal processes designed with good intentions
  • Current managed services provider (MSP) is operating in a more “break/fix” mode than as an MSP
  • Minimally-documented issue resolution or acceptance of solution by end users
  • Misapplication of ticket resolution process – limits trouble tickets from end-users
  • Bottom line: its mostly reactive responses

There is no documented evidence of policy or plan for the following:

  • Backup/restore; business continuity; disaster recovery; emergency operations; HITECH breach incident response; HIPAA privacy compliance gap assessment; HIPAA risk analysis
  • There is minimal documentation of HIPAA Security Rule compliance gap assessment (used only one assessment tool) enterprise IT conformance to any industry reference model (ITIL, ISO, BSI, Microsoft Standards of Practice, etc.)

Summary of discovery findings

Critical risk exposures were uncovered for both systems. There are no documented management systems or evidence that the practice has adopted, implemented or demonstrated conformance with industry-standard reference models, standards of practice or protocols, or legally mandated implementation standards for either system.

There is minimal documentation of:

  • HIPAA Security Rule compliance (Gap Assessment used only one assessment tool and neglected to perform critical aspects of gap assessment procedures)
  • Enterprise IT conformance to any industry reference model (ITIL, ISO, BSI, Microsoft Standards of Practice, etc.)


PDF of sample goals and recommendations

Sample IT online project portfolio worksheet

These and all the online resources for this series can be found here:

Assessment approach and methodology

A comprehensive IT-performance assessment and risk analysis are the deliverables. The assessment, which will have a detailed analysis of both systems, will also list each system’s problems and scope, along with the recommended minimum necessary requirements and options for remediation.

Assessment of the HIPAA Security Rule compliance management system involves evaluating compliance gaps and assessing management of data confidentiality, integrity and availability, all via requirements of the HIPAA Security rule governing administrative, technical and physical regulations. This is a combined compliance and performance evaluation.

The enterprise IT performance management assessment is about industry best practices and is therefore more granular, so it involves reviewing day-to-day IT operations from planning through availability.

Both assessments include documentation reviews, technical analysis, physical review, interviews and observations.

What are we looking for? A management system that:

1) Manages HIPAA Security Rule compliance. Provides a structured, repeatable, standardized and optimized set of information protection processes that attains and maintains continuous audit-readiness.

2) Manages enterprise IT performance. This is nearly a carbon copy of the above, IT management processes that attain and maintain adequate IT information and IT infrastructure system performance, availability and scalability to support the information processing needs of a medical practice that matches all the client’s IT needs.

Conclusion: The practice’s enterprise and HIPAA compliance processes require a small number of triage interventions. In addition, mid- to long-term adoption of processes for quality management and operational management of both systems should be implemented once the top critical risks are addressed.


Risk mitigation defines IT management and HIPAA security management priorities. Since you cannot eliminate risk totally, you can mitigate by anticipating and addressing deficiencies. There are only four ways to address risk: You can avoid, transfer, accept or mitigate it.

Activate a HIPAA compliance management system technology platform and manage highest exposure HIPAA compliance risks as priority one projects.

Do the same with IT infrastructure exposures. This will include evaluating and selecting hosted software providers who offer HIPAA compliance management systems. We do not recommend an on-premise database that you install, which requires backup, updates, patches and so on.

Hosted Software-as-a-Service (SaaS) is the better option. These hosted applications are easier to acquire and are preconfigured with all the compliance management activities, tasks, recurring processes, policies and procedures, workforce training and awareness, and incident management that a HIPAA compliance program needs. They vary based on how scripted and prescriptive the HIPAA program is.

For example, some systems offer student areas, policy libraries, compliance officer communications and action plan outlines, but they do not actually notify managers if projects fall behind or if processes are undocumented. These systems assume that the practice understands compliance management very well and simply needs to centralize reporting and evidence collection of compliance. Other systems assume that the practice has very little compliance management know-how and provides guidance and notices, alerts and reminders so that compliance management becomes evergreen.

Actions to approve now

Engage interim CIO expertise to oversee high-risk to intermediate-risk projects. This person can:

  • Assume prior CIO duties
  • Assist IT oversight committee with oversight and management processes
  • Co-present with committee to board during initial 90 day period
  • Manage all IT and HIPAA solution provider relationships

Stand up two early-stage management systems (HIPAA and IT):

  • Activate compliance technology platform — HIPAA health center with compliance coordinator services
  • Implement IT lockdown — IT infrastructure hardening and hardware/software refresh of high-risk elements

Address biggest productivity, uptime, availability, confidentiality and integrity risks:

  • Hardware
  • Software — common off the shelf (COTS) and custom applications
  • Networks
  • Communication and phone systems

Approve interim CIO to work with IT oversight committee to prioritize and present project portfolio for approval.

Actions to approve next

Once the highest risk exposures are addressed, then it is safe to return to a systems review and remediation plan.

The goal is to maintain a state of continuous audit readiness:

  • HIPAA audit readiness — ONC protocols (mandated compliance)
  • IT audit readiness – ITIL protocols (voluntary conformance)

Fold the recommendation and remediation action plan phases of original engagement into this stage. Transition to systems approach to management of IT and HIPAA compliance.

Summary: A tale of two practices

It was the best of HIPAA; it was the worst of HIPAA (apologies to Charles Dickens). Two practices, A and B, get the same recommendations and findings. The implications of what they chose to do may seem familiar to you.

Practice A used the information on its status as a lever to change its approach to risk management and compliance management. Its IT director could defend direct investments in hardening the practice’s information management processes and positioning the practice against fines and future remediation costs.

Practice B decided to stay with the status quo, because, “What are the odds of being caught and paying the price?”

The board of directors continued unaware that the first incident would directly impact their wallets. The managing partners chose to delay or decline in hardening their IT assets and this replicated a pre-existing pattern of neglect. “Don’t invest, just react when it breaks. We’ll just find someone to fix it.”

The net-net is that a HIPAA compliance audit is unlikely; however, a HIPAA breach is very likely. Your primary goal when the breach occurs must be to prove, because of your preparation, that this incident was an anomaly. Willful neglect is a real offense.

Proactive processes

Decisions that you must balance boil down to this: A well-run, proactively managed IT department will provide the majority of the compliance preparation required by law without a lot of special investment on top of your IT costs.

Get your IT house in order with proper management processes and then backfill with compliance management processes that are specific to the regulation to which you must comply. OM

Management System Assessments

There are five key activities in successful systems management, and all systems leave clues. The presence or absence of a systematic management framework for both HIPAA security and Enterprise IT is discoverable. If the discovery finds any of the five are missing, that activity will be provided. Assessing the capability and performance of a management system is an ongoing management requirement.

These are the five key activities:

  1. Gap Analysis - Where is the practice today? Perform a Program Evaluation of how you manage today. Deliverable: Compliance and IT Systems Management Benchmarks review and assessment. Performance against industry best practices or audit protocols is compared with internal benchmarking.
  2. Corrective Action Plan – Where does the practice want to be? Benchmark findings reveal deficiencies to be addressed via a corrective action plan. Deliverable: Recommended Remediation Project Portfolio.
  3. Performance KPIs (Key Performance Indicators) – What must happen (Performance Goals)? Is it happening (Performance Metrics)? Deliverable: Leading and Lagging indicators for successful systems management.
  4. Documentation of management processes — how we do it here. Deliverable: Secure evidence of Process Control Plans, Enterprise IT Architecture, IT Strategic and Operational Plans.

Day-to-Day Process Execution Tools – Specific activities performed according to Operations Plan and Industry Best Practices. Deliverable: includes discovery and evaluation of recurring processes, remediation program management and individual remediation project management as well as ad hoc incident response and resolution.

Both the HIPAA Security Rule and the Enterprise IT systems will be assessed using the methodology described above.

If all reactive and proactive compliance and IT issues are resolved, then the remediation is deemed successful. Examples of reactive responses: trouble tickets and regulatory inquiries. Proactive responses would be periodic, comprehensive assessments against best practices, analyses, evaluation reviews and remediation projects.

HIPAA Security: Waiting for an inquiry letter or notice of audit from ONC regarding HIPAA Security is not proactive management. Nor is an IT service provider coming when called. Satisfactory resolution of reported issues contain service levels and key performance indicators that must be evaluated.

Uptime/Availability – Backup, Business Continuity/Disaster Recovery, Emergency Operations, Communications
Security – Confidentiality, Integrity, Availability



About the Author