After the Anthem Breach
Since the Anthem breach was made public earlier this year, there has been a host of commentary on everything from the need for more data encryption measures to the need for more accountability at the C-level of most health care organizations. While many of these measures may prove to be the new reality, what is clear right now is that most health care organizations will be taking a much closer look at how vendors manage protected health information. This puts the security programs and compliance efforts of Business Associates (BAs) under a microscope.
Vendors handling electronic protected health information (ePHI) need to make sure their services are HIPAA and HITRUST compliance. That not only protects them from the risks of non-compliance, which include potential financial and criminal penalties, but will likely position them as a trustworthy vendor and give them a competitive advantage in the health care market. This article outlines what BAs should know about HIPAA and HITRUST, so they can make informed decisions for their business.
Threats to data security, including ePHI, are ongoing and seem to increase every day. State-sponsored attacks on health care data appear to be rising, concerns about the safety of data in the cloud persist – the list goes on and on. The November 12, 2014 Forrester Research article Predictions 2015: Data Security and Privacy are Competitive Differentiators states, “If your customers don’t trust you to rigorously protect and genuinely respect their sensitive data, they’ll take their business elsewhere. Thus, if your enterprise wants to successfully win, serve, and retain customers, the people, process, and technology that underpin data security and privacy must be critical elements of its business technology agenda.” They go on to add, “Half of enterprises will consider privacy a competitive differentiator.”
Business Associates Defined
Vendors should start by having a clear understanding of whether or not they are a BA. Essentially, if a company contracts with a Covered Entity to perform services on their behalf, and ePHI is involved, they are a BA. Common functions of BAs include billing, data analysis, claims processing and utilization review. Other functions that fall under the BA umbrella include providing managed services, data hosting, mobile applications or software as a service (SaaS).
If defined as a BA, vendors need to understand their responsibilities under the HIPAA Omnibus Rule. BAs have direct responsibility for protecting ePHI and must report these efforts to their health care clients. When it comes to assessments, both HIPAA and HITRUST are designed to safeguard health care information. Beyond that, their objectives are different.
Once a BA completes a HIPAA security assessment, and all audit recommendations have been resolved, they are considered compliant with the regulatory requirements specifically addressed by the HIPAA Security Rule.
However, when BAs focus solely on the HIPAA Security Rule from a compliance-only perspective – without performing a true risk analysis – there are usually gaps in security controls that mean cyber threats to ePHI have not been fully addressed.
Assessments can become complicated by the fact that HIPAA provides limited guidance to BAs about how to determine risk, so BAs typically need to look for guidance from organizations such as the National Institute of Standards and Technology (NIST) or HITRUST.
Unlike HIPAA, HITRUST is not a standard or regulation. HITRUST assessments are focused on identifying and resolving risk. They consider compliance with HIPAA regulations but take a broader approach to protecting ePHI.
The HITRUST Common Security Framework (CSF) was developed to provide organizations with a comprehensive, integrated approach to protecting ePHI data in the health care industry. The CSF’s control requirements are scaled based on the characteristics of the organization and systems to be evaluated. It considers all the standards and regulations that apply to BAs and other health care organizations including HIPAA Security Rule requirements, NIST and ISO standards, as well as the plethora of other federal, state and business requirements.
BAs have struggled to understand appropriate ePHI risk assessment steps and how to comply with the complicated web of related rules, regulations and reporting. BAs can adequately address both HIPAA compliance and ePHI security risk by using the HITRUST CSF, with controls tailored to their specific organizational, system and regulatory risk factors.
BAs are obligated to provide compliance reporting to their health care clients, and when it comes to ePHI security there can be a wide range of reporting format requests. The “SOC2 for HITRUST” report is increasingly being used by Covered Entities as their default reporting method, as it accommodates those diverse needs. BAs that use the “SOC2 for HITRUST” for their own compliance reporting make it easier and more efficient for Covered Entities to roll up their BAs’ reports into theirs, which will likely further improve their appeal as a vendor choice.
Support for Business Associates
Although neither HIPAA nor HITRUST assessments are required to be performed by an independent third-party, BAs are increasingly partnering with professional IT services firms with proven expertise in the health care industry. Doing so gives them objective perspective in developing a sound security and risk management program for protecting their ePHI data now and on an ongoing basis.
It is clear that BAs that can demonstrate that their services fall in line with HIPAA and HITRUST compliance guidelines benefit not just through ePHI security best practices that help protect the business, but will also very likely have a competitive advantage in the health care market.
About the Author: Andrew Hicks is the Healthcare Practice Director for Coalfire, the global technology leader in cyber risk management and compliance services. Coalfire’s approach builds on successful, long-term relationships with clients to achieve multiple compliance objectives tied to a long-term strategy to prevent security breaches and data theft. For more information, visit www.coalfire.com.