The fact that HIPAA compliance isn’t bulletproof – that cyber security frameworks around health information require a new level of vigilance – is now axiomatic.Perhaps owing to whatever legislative sausage-making gave birth to HIPAA, to protect the privacy and security of protected health information, the law offers no guidance on how to follow it.
Third parties have stepped in to assist the technology community, primarily with formulation of the HIPAA HITECH audit, and passing that rigorous test has become the bare minimum for any vendor doing business in the HIPAA space.
Still, 73 percent of U.S. healthcare organizations reported a rise in cyber security incidents related to third-party vendors, with 49 percent saying a data breach occurred because of an outside vendor, according to a survey.
The survey also found that 37 percent believed their third-party vendors wouldn’t disclose a data breach, while 41 percent expressed confidence that their vendors had data breach response plans in place.
False Sense of Security
For providers, if a single Social Security number leaves your facility, the loss can be catastrophic to the holder of that Social Security number. Almost by definition, “small-ish” data losses don’t hit the radar, or the headlines, but that doesn’t diminish their power to do real damage.
In the case of that Social Security breach, every patient that provider serves is now a victim as well. And smaller organizations have both a harder time being secure and being aware of their security situation.
It’s generally smart to install Data Loss Prevention (DLP), the standard software methodology to determine if a breach has occurred, but DLP isn’t a panacea and it can monitor only so much. While DLP may make life easier, it’s certainly not required of HIPAA compliance.
In fact, precious little is required of HIPAA compliance.
HIPAA sets forth a rigorous and demanding regulatory environment, and only a select number of vendors can truly compete in the space, largely because of these data security requirements. But in order for a vendor to say that it’s HIPAA compliant, that provider doesn’t actually have to do anything.
No one forces any provider to submit to a HIPAA audit. For many (I’d say too many), the “business associate agreement” loophole is big enough to drive an ambulance through. A business associate agreement (BAA) under HIPAA is a sort of promissory note that the provider will adhere to the HIPAA law. Agreements are typically vague, however, and open to interpretation.
Every upstream provider that handles data needs to sign a BAA in order to be in the HIPAA food chain. But a BAA doesn’t compel compliance or insulate providers from liability (or responsibility); that’s why healthcare providers looking for IT support need to exercise extraordinary due diligence.
As of right now, there’s a persistent lack of clarity around HIPAA, and nothing has been tested in court. Where does the responsibility lie? With the healthcare provider? With the vendor? Where does the buck stop?
Unresolved questions aside, healthcare providers are still subject to the full extent of the HIPAA law — security, backup, data protection, the entire gamut. And they are required to notify patients if a breach occurs.
While healthcare providers might be capable of doing various techy things on their own – conducting annual HIPAA audits and getting on that test/fix cycle – most would prefer not to do the heavy lifting in-house. Better to screen and select a cloud provider that can do those essential tasks on your behalf, deliverables that can then be dropped into your HIPAA audit.
If that provider’s nodding familiarity with HIPAA doesn’t extend beyond a BAA, however, keep looking.
Until the law is thoroughly vetted in court, you, as the healthcare provider, are on the hook. That federal authorities could go after both you and your vendor in parallel doesn’t relieve you of due diligence. The prudent strategy is to partner a vendor that you can validate as fully engaged in HIPAA protocols.
The American Hospital Association offers a cyber security Web page to help healthcare providers develop and share cyber security measures by providing resources about cyber security threats and data security response plans. The group urges hospitals and health care organizations to train staff, develop risk management and response plans at the organizational level, and strengthen board support.
Clearly, someone has to do the due diligence. Someone needs to look at the provider landscape as a third party and assure a level of security people can count on. A vacuum exists, and it needs to be filled. Audits aren’t enough.
So here’s the takeaway: healthcare providers need to vet cloud vendors on the basis of their ability to deliver real pain relief (health metaphor intended) and clearly show that they have gone the extra mile, to true protection.
That’s the kind of due diligence that third parties need to exercise, beyond the HITECH audit (which, again, doesn’t relieve anyone of liability). For enlightened technology providers, HIPAA compliance should be regarded as a responsibility and, yes, an opportunity — not a burden.