COVID-19, shelter-in-place, and social distancing has imposed a number of changes in business culture and operations, none more than in healthcare companies. As these organizations are shifting strategies from integrating new telehealth offerings to work-at-home support agents, HIPAA compliance is becoming more and more complicated. For example, are your newly remote revenue control agents who are taking patient phone payments doing so in a HIPAA compliant environment?
As you make decisions about vendor partners to help with your COVID-19 workplace changes, you need to make sure they’re compliant. This guide will help you sort out the complexities of HIPAA compliance for vendors, cloud software providers, communications solutions, hosting, and more.
Health Insurance Portability and Accountability Act (HIPAA)
For organizations that must comply with the data security requirements of the Health Insurance Portability and Accountability Act (HIPAA), choosing the right provider of third-party services can be complicated. With the right partner, you can get to market faster, stay focused on your business, and have peace of mind that your systems and data are secure and compliant.
It is essential to proceed with caution when choosing a HIPAA-compliant managed service. Security breaches of your patients’ Protected Health Information (PHI) can leave your organization facing substantial fines and damage your reputation. With more healthcare organizations employing several technology vendors, the stakes have never been higher.
Complicating the selection process is the recent growth in data security regulations. Combine this with the expanding market demand, we see many technology services, saying, “Sure, we can do HIPAA compliance.” The reality is that service providers vary widely in how experienced, equipped, and skilled they are with stringent HIPAA data security regulations.
12 Questions To Ask Technology Partners
This Buyer’s Guide to help you evaluate and choose the best solution from the many service providers that advertise HIPAA compliance. We suggest the following twelve (12) questions you should ask of any technology vendor you are considering.
Is there independent, third-party verification that you are HIPAA compliant?
Outside of its complaint investigation process, HIPAA does not provide for any official, government-sanctioned finding of compliance or non-compliance. Combined with HIPAA’s broadly stated data security mandates, this creates an environment where organizations have a wide latitude to claim HIPAA compliance. Choosing a provider whose claim of compliance comes from a self-assessment could be a risk factor. A future complaint investigation could be the first time an objective judgment is compiled. You can reduce your risk exposure by insisting that any service provider proof of independent verification of HIPAA compliance from a credible third party.
Third-party HIPAA compliance certification involves the Common Security Framework (CSF) Certified status from the Health Information Trust Alliance (HITRUST). HITRUST is an independent organization composed of leaders from the health care and information technology industries. The CSF developed by HITRUST is an information security framework harmonizing requirements of existing standards and regulations relevant to the healthcare industry, including HIPAA. This certification provides peace of mind for healthcare companies. It also reduces the scope and costs of their own HIPAA assessment processes.
How do you align the HIPAA Security Rule to specific security controls?
The security mandates of HIPAA are broadly cast, leaving considerable ambiguity as to which specific controls are implemented to satisfy those mandates. For example, HIPAA calls for strong authentication to help prevent unauthorized access to electronically protected health information (ePHI). Still, whether that means seven-character passwords or 25- character passwords is unspecified. In this context, there can be substantial security differences between service providers, depending on their interpretation. Interpretations of HIPAA run from the bare minimum of providers who map to HIPAA’s generalities, to highly demanding standards and best practices.
Your partner should use selected security controls and control enhancements of HITRUST, including those of the National Institute of Standards of Technology (NIST) Special Publication 800-53 and International Standards Organization (ISO) 27002, among others. These best-practice based controls provide security from both a functionality perspective and an assurance perspective.
Do you guarantee that your clients will pass all HIPAA audits?
One of the biggest points of difference among service providers that tout their HIPAA compliance is their ability to stand by their compliance. Truly compliant partners assist clients who are undergoing a HIPAA-related audit, assessment, or review. It’s common for providers to leave clients mainly on their own during the audit process, and leave it up to clients as to whether or not they pass the audit.
How do you monitor security issues?
The Technical Safeguards section of the HIPAA Security Rule requires that monitoring systems be in place to protect the confidentiality and integrity of personal health data. Well-designed and operated monitoring systems can help proactively identify potential security problems. While a variety of monitoring technologies are available and widely used, it’s essential to remember genuinely effective security monitoring isn’t just a matter of the right tools. Monitoring tools don’t secure your systems. Human involvement is critical to parse the data, determine what’s essential, and ensure that prompt, appropriate action. Industry data shows that, in a high percentage of security-breach cases, relevant monitoring data was available in advance of the breach but had not resulted in action.
Make sure your partner provides 24×7 support and monitoring, and reviews and remediates security logs of servers, firewalls, intrusion detection, antivirus, and file-integrity systems.
How do you implement system access and limit it to only those authorized?
The HIPAA Security Rule requires covered entities to implement procedures that ensure only authorized personnel can access electronic personal health data. Unauthorized access to ePHI not only compromises the confidentiality of the data; it may also potentially jeopardize data integrity and availability. Despite the HIPAA mandates around data-access control, unauthorized access to ePHI remains a common type of security breach. Of the ten largest HIPAA security breaches of 2012, half involved improper access to protected health data by employees or contractors.
Be sure a vendor under consideration utilizes an enterprise-wide, two-factor authentication, and authorization process. Such a process limits system access to those authorized based on their job role for secure, auditable administrative access to compliant systems.
Is physical access restricted in your facilities that host protected health information?
HIPAA mandates physical safeguards to protect facilities, computers, and devices that hold electronic personal health information. The concern for physical security is well-founded. Since the Department of Health and Human Services began tracking HIPAA security-breach data, the most common type of breach has involved the theft or loss of physical devices such as laptops, portable drives, and backup media.Be sure your vendor maintains physically-secured data centers that meet all HIPAA requirements. Securing facilities and equipment involve a range of safeguards, including mantraps, access cards, biometric controls, sign-in logs, and escorts.
Do you have security training programs for all members of your workforce?
Protecting personal health data requires more than having physical and technical safeguards in place. A critical component is training the people who work with and around the data. As part of its Administrative Safeguards section, the HIPAA Security Rule requires information security-policy training for all members of organizations that handle ePHI— including management personnel.
Make sure your vendor’s support team receives extensive training to make sure they function in full compliance with HIPAA standards. They should maintain a security awareness and training program that all members of the workforce, including management, are required to complete.
Do you offer both dedicated and cloud solutions?
Depending on your particular IT needs, you may need a dedicated server platform, a cloud platform, or a hybrid combination of both. To effectively meet your business objectives while also satisfying HIPAA requirements, you need access to multiple HIPAA-compliant platforms. You may find that few managed hosting providers can couple steadfast HIPAA compliance with diverse and flexible deployment options.
Can you provide compliant solutions from multiple geographic locations?
The HIPAA Security Rule calls on covered entities to not only protect the confidentiality and integrity of personal health data but also to ensure that the data is available when needed. One of the most effective ways to ensure uninterrupted data availability is to use many, geographically separated data centers in your service architecture. Using multiple data centers can help safeguard data availability in the event of natural disasters, region-wide power failures, or malicious attacks.
Make sure your vendor has multiple HIPAA-compliant data centers for geo-redundancy in your service architecture.
Do you maintain disaster recovery and emergency mode operation plans for your facilities?
The Contingency Plan section of the HIPAA Security Rule mandates that covered entities and business associates maintain a Disaster Recovery Plan (DRP) to restore any loss of data. Also, an Emergency Mode Operation Plan (EMOP) is required for the continuation of critical business processes for protection of the security of ePHI while operating in emergency mode in the event of a disaster.
Your managed hosting provider must have a DRP and EMOP, and you must also have your own DRP and EMOP.
How do you handle notification of a breach?
The HIPAA Breach Notification Rule specifies deadlines for notifying affected patients in the event of a breach of unsecured personal health data. You are also required to notify the Department of Health and Human Services. In some cases, you must inform the media as well. Given these deadline-driven notification mandates, it’s essential to work with a managed hosting provider who is prepared to detect a breach and report it to you as quickly as possible.
What sets you apart from other HIPAA compliant cloud and hosting providers?
There may be several managed hosting providers competing for your business. Ask each what uniquely qualifies them to be your HIPAA-compliant hosting service. Is HIPAA compliance one of their core competencies.
Don’t Rush It!
During challenging business environments, such as responding to COVID-19, it can be difficult to temper our urge to find and deploy urgently needed solutions. However, with HIPAA compliance requirements and the importance of keeping patient health information secure, selecting the right vendor is more important than ever. Contact us to learn more about our HIPAA compliance attestations, and how we can help with your changing needs.