Key Lessons from Other Security and Privacy Standards
Business associates should be aware that data security and privacy are central to compliance beyond HIPAA, notably in SOC 1/2 reporting and PCI (payment card industry) standards. A closer inspection of specific requirements will reveal substantial overlap between standards. Companies can save significant time and money by tackling multiple standards at once, but proper execution is key. In diligence engagements, we have seen operators succeed to varying degrees.
On the low-performing end was an HCIT company that has been hugely successful in attracting and keeping hospital customers but was lacking in data security. Since their beginnings about a decade ago, they had grown to become the clear market leader, but at a price.
Despite the huge amount of data they were handling, they had not yet completed a risk assessment nor performed any penetration testing. In addition, they had recently acquired a company that had signed BA agreements with its client base. Yet, executives were unaware of the applicable HIPAA rules and accompanying liability. We promptly informed our client of these vulnerabilities and recommended next steps for the company that would allow it to play catch-up on all security and privacy concerns — HIPAA compliance was to be a priority, given that any breach would threaten their dominant position.
Rapid growth proved to be painful for another company we assessed, this time a provider of workforce management solutions. While they did not handle PHI and, as such, were not subject to HIPAA rules, the challenge they faced is likely to plague BAs seeking HIPAA compliance: a number of the data centers they were using to store customer data were unable to obtain SOC 2 certification.
In addition, their IT and engineering teams differed in their understanding of industry standards and the consequences of poor security. Luckily, investing in improved security was feasible for the company, and we advised them to increase IT/security resources as their cloud focus continued to expand.
On the other end of the spectrum was a business cloud services provider. Perhaps as a result of differentiators needed to stand out in a crowded market, the company had strong security and privacy processes across the board. They performed quarterly PCI v3 scans to ensure the integrity of any credit card information on their platform, hired a trusted firm to perform annual SOC 2 audits, and met NIST 800.53 standards through annual self-assessments.
Note that the last of these is particularly relevant to healthcare companies, as it is referenced in HIPAA rules (as well as FINRA regulations). Importantly, all of this was overseen by a single individual, VP of Security and Privacy, who was held accountable by the CTO. To this day, the company remains a strong example having an integrated approach for dealing with a number of compliance standards that often overlap.
Being Proactive About Compliance
In light of the game-changing HITECH Act, it is crucial that all organizations touching healthcare step back and evaluate their stance as it relates to HIPAA compliance. Regulatory burdens now fall more heavily on business associates, a category of wildly diverse organizations that provide different services and functions but have one thing in common: use or disclosure of protected health information. To achieve and maintain HIPAA compliance, business associates must act quickly and ensure that people, processes, and technology have all been brought up to new regulatory standards, either by outsourcing to compliance experts or with rigorous in-house efforts.
Along the way, you might find your company shoring up several other security and privacy gaps — the kind that could derail a nascent or growing venture. As partners of numerous healthcare-focused technology companies, we hope that these lessons learned and changes made in pursuit of HIPAA compliance, while tedious and expensive, will strengthen the organizations we work with and securely position them for the future.