In 2009, the HITECH Act mandated that not only covered entities but also business associates would be subject to periodic audits as a means to ensure that both are complying with HIPAA Rules. The first phase of these audits, taking place between 2011 and 2012 and involving 115 covered entities, revealed abysmal results. Only 13 entities passed without any negative findings, and over 980 compliance issues were discovered. One-third of these violations were simply due to ignorance of HIPAA requirements.
As the HHS prepares for its second set of audits, this time including 50 business associates, a thorough understanding of HIPAA compliance is more important than ever for companies that handle protected health information. Alongside understanding the requirements of HIPAA compliance, organizations should choose a compliance solution that is most appropriate for their data volume and usage, as well as existing capabilities. In this article, we explore the pros and cons of each approach, how companies should prepare for forthcoming HIPAA audits, and a few examples of successful and not-so-successful HIPAA compliance initiatives.
HITECH Has Changed the Regulatory Environment for Business Associates
Healthcare-focused technology companies that access electronic protected health information (ePHI, often referred to simply as PHI) have been hit especially hard by the HITECH Act. Such companies, defined as business associates (BAs), are now directly liable under HIPAA rules and could be subject to civil and criminal penalties for failing to meet new standards. This is a significant departure from pre-HITECH HIPAA, when all responsibility and liability fell on covered entities (health care providers, health plans, and clearinghouses). The change should come as no surprise: almost two-thirds of historical data breaches involved a BA.
The penalty for violations of a single provision can reach up to $1.5 million, and fines can add up if an organization has multiple infractions. Granted, these fines are immaterial compared to potential reputational damage. In July 2015, UCLA Health System acknowledged that hackers may have accessed sensitive information on up to 4.5 million patients. Just months before that, Anthem — the second largest health insurer in the US — revealed a breach of up to 80 million customer records. It is difficult to imagine patients trusting either of these organizations in the near future. IDC predicts one in three individuals will have their healthcare records compromised by cyber attacks in 2016, and no organization wants to be associated with those breaches.
Figure 1. HIPAA Breach Costs You Should Be Aware Of
Nonetheless, given the limited flexibility of the healthcare system, it is unlikely that patients will switch insurers or providers in response to a data breach. The same does not hold for covered entities (CEs) and the BAs they engage. We have noticed that CEs now have more rigorous expectations of BAs. Often, they will look for a large and reputable existing client base, comprehensive evidence of HIPAA compliance, and demonstrated understanding of the intricacies of HIPAA and HITECH. Fail to meet these standards and a healthcare technology company may find itself boxed out of the market. Understandably, the current market and regulatory landscape has many operators asking, how exactly do I go about achieving HIPAA compliance?
Preparing for HIPAA Compliance
There is no single path to HIPAA compliance. Several factors will influence an organization’s choice for compliance, including: organizational size and complexity, volume of PHI, role of PHI in business workflows, and the organization’s team and platform capabilities. Given the HIPAA focus on security and privacy compliance, there is a natural tendency to prioritize technology-based solutions. And technology does play a key role. For example, the use of robust encryption technologies — such as public-private key approaches — is critical for protecting PHI.
Figure 2. Sites of HIPAA Breaches
But organizations also need to focus on issues from a people and a process perspective, since a large portion of security lapses are due to people-related vulnerabilities. Managing the risks associated with people requires particular focus on permissions — addressing the “who”, “when”, and “where” questions related to PHI access — as well as ongoing training and education to minimize risky behaviors.
From a process perspective, the first step is to map PHI as it moves through your system — how it travels, where it is stored, and mostly importantly, how it is integrated with your overall business processes. By isolating PHI to critical use cases, your organization will reduce the scope and complexity of HIPAA compliance.
Next, compare your current data security and privacy procedures against requirements outlined in the HIPAA/HITECH Acts, including change control, data security and information lifecycle management, data center security, encryption and key management, governance and risk management, identity and access management, security incident management, and threat and vulnerability management. Armed with a general understanding of your position relative to the requirements, you can now create a plan of action for achieving compliance — either internally or externally.
Alternatives: In-House or Outsource?
If you are close to meeting the requirements of an HHS OCR audit, or if you have a savvy team, it might make sense to implement HIPAA-compliant elements in-house — with a checkoff from a third-party auditor. While this approach provides greater control over the elements required for compliance, it also requires a greater investment in internal resources and expertise.
It is important to note that individual auditors do not use one single standard. Each auditor interprets the HIPAA controls in their own way and has an unique assessment process. The danger of insourcing all HIPAA work is there may be a huge gap between your internal staff’s interpretation of the HIPAA policies and how an auditor interprets those same rules. Down the line, this could result in costly rework to address deficiencies found by your auditors.
There are two approaches to combat this issue. The first and more expensive, but thorough, option is to have the auditor perform a quick pre-assessment. This allows the auditor to get a quick view of the landscape and provide directional feedback regarding major gaps. A second, cheaper approach is to ask the auditor to provide documentation and guidance on how to adequately perform a self-assessment. With this, you can focus your work on areas that the auditors have deemed important and, hopefully, reduce the amount of deficiencies they find in a full audit.
If internal compliance work is too burdensome, you may consider outsourcing PHI management to a reputable HIPAA-compliant vendor who in turn acts as a BA (and yes, BAs can subcontract to other BAs!). This option would be especially attractive for an organization that is sub-scale in size, where a direct investment in HIPAA expertise would be disproportionately large. Fortunately, a number of established vendors now offer platforms that meet HIPAA requirements and are willing to sign the BA agreement, including Amazon Web Services, Datapipe, and OnRamp.
Regardless of the approach you pick, it is crucial to document everything — discussions, policies, procedures, trainings. This “paper trail” will be central to any future audit, whether self-imposed or by HHS. Detailed documentation will be especially important as your team grows, ensuring that all members of your organization are aware of HIPAA rules and how they apply to each role. If you take all the necessary steps for HIPAA compliance yet fail to keep proper records, the resources you invested may be all for naught.
Key Lessons from HIPAA Compliance Initiatives
Our experience with numerous healthcare-focused companies has given us great perspective on how to best deal with HIPAA-related challenges. For example, a web company that provides healthy meal planning services processes biometric data to determine consumer health profiles. They can detect conditions like diabetes, obesity, and high blood pressure, then tailor meal plans for healthier outcomes. Being a startup, the company did not have a lot of resources to spend on compliance. A crucial strategy for them was to take as much of the system out of scope as possible.
The company’s system was made up of two major components: the customer facing website, and a large data warehouse used to run machine learning algorithms to make recommendations. To minimize the audit’s scope, they made sure the data warehouse never contained any biometric data. Instead, they performed a pre-processing routine that populated various attributes in the data warehouse based on the biometrics. To meet HIPAA requirements, biometric data must be encrypted in flight and at rest in databases or file servers. However, encryption creates performance overhead, a critical issue for a consumer-facing web application. In order to minimize the impact of encryption, the company isolated all of the biometric data to a single table and encrypted only that table. They used table-level encryption, as opposed to attribute-level encryption, to protect against unencrypted addition of future attributes. This way, the biometrics table is used once, when the customer first logs in, while the rest of the tables are unencrypted and contain no sensitive data — allowing for maximum performance while still protecting PHI.
Per HIPAA requirements, the web company also had to retool their approach to people and processes. For example, they were required to show proof of destruction of the original biometrics sent to them from their clients. The company’s customers were large employers who offered the website to employees as a human resources perk, providing health advice and lowering insurance premiums in exchange for using their biometric data. For employees who opted into the service, the employer sent their biometric data via file transfer or email to the web company. To succeed in a HIPAA audit, the web company strictly limited personnel access to these files and developed a documented process for destroying the original data source after it was ingested.
In addition, areas as simple as PC and phone encryption could not be overlooked. Imagine that an employee receives a file containing biometric data from a customer and the employee’s laptop or mobile phone becomes compromised — the biometrics file could easily wind up the wrong hands. In another example, a phone by the front desk was flagged by an auditor who noted that the IP phone could create a backdoor into the company’s network. The fix? We had to replace that phone with an old-school phone, without connectivity capabilities.
As evidenced by these anecdotes, HIPAA requirements will impact various teams and operations within your organization. While achieving compliance may seem daunting, keep in mind that a data breach would be even more costly — a strong motivator for tackling security and privacy issues sooner rather than later
Key Lessons from Other Security and Privacy Standards
Business associates should be aware that data security and privacy are central to compliance beyond HIPAA, notably in SOC 1/2 reporting and PCI (payment card industry) standards. A closer inspection of specific requirements will reveal substantial overlap between standards. Companies can save significant time and money by tackling multiple standards at once, but proper execution is key. In diligence engagements, we have seen operators succeed to varying degrees.
On the low-performing end was an HCIT company that has been hugely successful in attracting and keeping hospital customers but was lacking in data security. Since their beginnings about a decade ago, they had grown to become the clear market leader, but at a price. Despite the huge amount of data they were handling, they had not yet completed a risk assessment nor performed any penetration testing. In addition, they had recently acquired a company that had signed BA agreements with its client base. Yet, executives were unaware of the applicable HIPAA rules and accompanying liability. We promptly informed our client of these vulnerabilities and recommended next steps for the company that would allow it to play catch-up on all security and privacy concerns — HIPAA compliance was to be a priority, given that any breach would threaten their dominant position.
Rapid growth proved to be painful for another company we assessed, this time a provider of workforce management solutions. While they did not handle PHI and, as such, were not subject to HIPAA rules, the challenge they faced is likely to plague BAs seeking HIPAA compliance: a number of the data centers they were using to store customer data were unable to obtain SOC 2 certification. In addition, their IT and engineering teams differed in their understanding of industry standards and the consequences of poor security. Luckily, investing in improved security was feasible for the company, and we advised them to increase IT/security resources as their cloud focus continued to expand.
On the other end of the spectrum was a business cloud services provider. Perhaps as a result of differentiators needed to stand out in a crowded market, the company had strong security and privacy processes across the board. They performed quarterly PCI v3 scans to ensure the integrity of any credit card information on their platform, hired a trusted firm to perform annual SOC 2 audits, and met NIST 800.53 standards through annual self-assessments. Note that the last of these is particularly relevant to healthcare companies, as it is referenced in HIPAA rules (as well as FINRA regulations). Importantly, all of this was overseen by a single individual, VP of Security and Privacy, who was held accountable by the CTO. To this day, the company remains a strong example having an integrated approach for dealing with a number of compliance standards that often overlap.
Being Proactive About Compliance
In light of the game-changing HITECH Act, it is crucial that all organizations touching healthcare step back and evaluate their stance as it relates to HIPAA compliance. Regulatory burdens now fall more heavily on business associates, a category of wildly diverse organizations that provide different services and functions but have one thing in common: use or disclosure of protected health information. To achieve and maintain HIPAA compliance, business associates must act quickly and ensure that people, processes, and technology have all been brought up to new regulatory standards, either by outsourcing to compliance experts or with rigorous in-house efforts.
Along the way, you might find your company shoring up several other security and privacy gaps — the kind that could derail a nascent or growing venture. As partners of numerous healthcare-focused technology companies, we hope that these lessons learned and changes made in pursuit of HIPAA compliance, while tedious and expensive, will strengthen the organizations we work with and securely position them for the future.
Co-authored by David Wong of Bulger Partners and Mike Kavis of Cloud Technology Partners. Originally published on HITConsultant.net.