Since the Anthem breach was made public earlier this year, there has been a host of commentary on everything from the need for more data encryption measures to the need for more accountability at the C-level of most health care organizations. While many of these measures may prove to be the new reality, what is clear right now is that most health care organizations will be taking a much closer look at how vendors manage protected health information. This puts the security programs and compliance efforts of Business Associates (BAs) under a microscope.
Vendors handling electronic protected health information (ePHI) need to make sure their services are HIPAA and HITRUST compliance. That not only protects them from the risks of non-compliance, which include potential financial and criminal penalties, but will likely position them as a trustworthy vendor and give them a competitive advantage in the health care market. This article outlines what BAs should know about HIPAA and HITRUST, so they can make informed decisions for their business.
Threats to data security, including ePHI, are ongoing and seem to increase every day. State-sponsored attacks on health care data appear to be rising, concerns about the safety of data in the cloud persist – the list goes on and on. The November 12, 2014 Forrester Research article Predictions 2015: Data Security and Privacy are Competitive Differentiators states, “If your customers don’t trust you to rigorously protect and genuinely respect their sensitive data, they’ll take their business elsewhere. Thus, if your enterprise wants to successfully win, serve, and retain customers, the people, process, and technology that underpin data security and privacy must be critical elements of its business technology agenda.” They go on to add, “Half of enterprises will consider privacy a competitive differentiator.”
Business Associates Defined
Vendors should start by having a clear understanding of whether or not they are a BA. Essentially, if a company contracts with a Covered Entity to perform services on their behalf, and ePHI is involved, they are a BA. Common functions of BAs include billing, data analysis, claims processing and utilization review. Other functions that fall under the BA umbrella include providing managed services, data hosting, mobile applications or software as a service (SaaS).
If defined as a BA, vendors need to understand their responsibilities under the HIPAA Omnibus Rule. BAs have direct responsibility for protecting ePHI and must report these efforts to their health care clients. When it comes to assessments, both HIPAA and HITRUST are designed to safeguard health care information. Beyond that, their objectives are different.
Once a BA completes a HIPAA security assessment, and all audit recommendations have been resolved, they are considered compliant with the regulatory requirements specifically addressed by the HIPAA Security Rule.
However, when BAs focus solely on the HIPAA Security Rule from a compliance-only perspective – without performing a true risk analysis – there are usually gaps in security controls that mean cyber threats to ePHI have not been fully addressed.
Assessments can become complicated by the fact that HIPAA provides limited guidance to BAs about how to determine risk, so BAs typically need to look for guidance from organizations such as the National Institute of Standards and Technology (NIST) or HITRUST.
Unlike HIPAA, HITRUST is not a standard or regulation. HITRUST assessments are focused on identifying and resolving risk. They consider compliance with HIPAA regulations but take a broader approach to protecting ePHI.
The HITRUST Common Security Framework (CSF) was developed to provide organizations with a comprehensive, integrated approach to protecting ePHI data in the health care industry. The CSF’s control requirements are scaled based on the characteristics of the organization and systems to be evaluated. It considers all the standards and regulations that apply to BAs and other health care organizations including HIPAA Security Rule requirements, NIST and ISO standards, as well as the plethora of other federal, state and business requirements.