HIPAA and QMS Based Architectural Requirements to Cope with the OCR Audit Program

The United States legislation known as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is aimed at strengthening patient rights, increasing efficiency and decreasing administrative costs in the healthcare industry. Under HIPAA all Covered Entities are required to ensure compliance with certain privacy and security rules concerned with protecting private patient health information. Building upon the objectives of HIPAA, the American Recovery and Reinvestment Act (ARRA) of 2009, in Section 13411 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, required the Department of Health and Human Services (HHS) to conduct periodic audits of Covered Entities against HIPAA Security Rule. This paper presents and evaluates a new approach which might be used by Covered Entities to achieve compliance with HIPAA by adopting the ISO 9001 guidelines. A United States based Healthcare IT Company (UHITC) with a backup office in Pakistan was taken as a case study for this approach. UHITC develops software for mobile devices along with providing third party medical billing services. In connection with its achieving ISO 9001 certification since 2004, UHITC had already developed a company-wide quality audit protocol based on the ISO 9001 standard. For purposes of conforming the ISO standards to the HIPAA audit protocol in a streamlined fashion, UHITC examined the HIPAA requirements to determine whether the existing protocol could be tailored to achieve HIPAA compliance. In order to accomplish this evaluation, the two standards were compared by cross-mapping their components. The comparison revealed that the controls mentioned in the ISO 9001 guideline meet or exceed the HIPAA Security Rule for 36% of the implementation requirements. UHITC was also able to increase customer satisfaction by achieving compliance with HIPAA Security Rule using a quality management system (QMS) model. At the next level, Compliance Attributes (CA) were deri- ed from these requirements and classified as architectural and non-architectural in nature. A new approach to define compliance oriented software architecture using compliance tactic was also proposed.