Digging deep

How safe is your patients’ PHI once it gets into the hands of business associates? It may not be enough to know that they are HIPAA-compliant. Here, experts discuss why it is important to dig deep when examining what happens to healthcare data.

In the wake of the HIPAA/HITECH omnibus final rule, risk managers are well aware of the need to examine exactly what happens to data handled by their organization. It can seem an onerous task, but according to Maureen Kaplan, sales director, healthcare, at Verizon, the trick is to view it as an opportunity.

“Having this ruling has given companies a reason to go back and look at where their controls are and implement changes for the future that are ultimately going to make their business stronger and more efficient,” she says. “It’s an opportunity to put some business context around why risk management is so important for a business and to use it as a chance to open up conversations that may be a little stale or may have never taken place at all. It’s something that’s out there and so we should all be embracing it and allowing it to make our businesses better.”

TOO MANY COOKS
While you may have a good idea of what happens to data stored and handled by your organization, things can get a little more hazy where business associates are involved—and now, of course, they have to be HIPAA-compliant too. Kaplan stresses the importance of digging until you have a thorough understanding of how all your organization’s data is handled and where it is stored.

“So many healthcare companies I’ve talked to feel as though they have a good sense of where their private information is and the controls around it. When you dig in a little deeper you start to realize that that sense of control of their data may not be as rock solid as they think,” she says.

Fernando Martinez, formerly corporate privacy and security officer for healthcare consulting firm Beacon Partners, agrees that healthcare providers need to place their business associates under scrutiny. He believes they need to adopt a level of curiosity that looks beyond simple compliance to examine the finer details of how data is handled and where it is stored.

“We as an industry tend to judge risk by the piece of the iceberg we see above the waterline,” he says. “Above the waterline are things like having the policies and procedures in place, doing a risk assessment, having a compliance audit. That generally gives us a feelgood sense about where we are with things in terms of due diligence and being prepared, but what we fail to recognize is what is lurking below the waterline.”
He says that if a healthcare organization does not take an active approach to risk management, it is just a matter of time before that organization becomes a victim; scrutiny and thorough preparation are therefore vital.
“This is not something that you have to develop a defensive plan for; rather you must develop an offensive plan,” he says.

VIGILANCE IS CRITICAL
Martinez argues that organizations need an active program for testing and validating that policies, procedures and controls are effective in protecting PHI, both within the organization and when that information is in the hands of business associates.

“Covered entities need to be more vigilant around business associates,” he says. “We’re really in unchartered waters here because covered entities—large health systems in particular—have never had the time or resources to do that; they just trusted that their business associates are going to do what they need to do.”
He adds that the healthcare industry does not take the threat of regulatory or federal fines seriously enough.
“Even though you see this proliferation of breaches and the penalties that are going along with them there seems to be a lack of urgency or concern around it and that’s really perplexed many people in the industry,” he says. “The HIPAA omnibus rule really speaks of a more rigorous approach to how the federal government will hold organizations accountable for their conduct, so I think this is something that risk managers need to be concerned with.”

He believes that a proliferation of penalties may alert covered entities to the need to be more proactive in their approach to cyber risk.

“The future will tell us what happens but I think if we start seeing a lot of these penalties as far as business associates are concerned it’s going to take healthcare organizations to a different point where they’re going to have to figure out how to develop an internal program to have a higher level of confidence that the business associates are doing what they’re supposed to do,” he says.

Another note of warning: the HIPAA/HITECH omnibus final rule may make business associates responsible for protecting PHI, but it does not let covered entities off the hook as regards ultimate responsibility for that data.
“The final rule has expanded the definition of ‘business associate’ to be anybody who touches and handles PHI on the covered entity’s behalf, not just transmits or stores it,” says Kimberly Holmes, deputy worldwide healthcare product manager for specialty lines at the Chubb Group of Insurance Companies.

“Those business associates can now be directly liable themselves, so health and human services can go after them directly for liability if there is a data breach, but the covered entity is never off the hook for ultimate liability because they own the PHI so the onus is on them, the covered entity, to do their homework, do their due diligence.”

That’s all the more reason why covered entities should do everything they can to ensure that the vendors and service providers they deal with have adequate safeguards in place to prevent a data breach from occurring.
“You need to vet those associates and make sure they have the right controls, protocol, training requirements, etc, because at the end of the day the covered entity always owns that liability under HITECH. The covered entity is never off the hook,” she says.


Growing demand for CSF
In an effort to stem the loss of PHI via business associates, leading healthcare organizations will increasingly require their business associates to participate in the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) Assurance Program and submit CSF assessment reports as part of their information protection programs. That is the view of Daniel Nutkis, chief executive officer, HITRUST.
“Since the number of combined business associates providing services to healthcare organizations requiring the CSF Assurance Program is in the tens of thousands, we believe the efficiencies and cost savings they realize will help influence others and provide the momentum needed to improve adoption in the industry,” he says.

The CSF and the CSF Assurance Program offer the only highly flexible implementation and management framework for healthcare information protection by providing a standardized way of scaling and tailoring safeguards based on an organization’s specific risk factors. Organizations also have the ability to implement alternate approaches to address specific threats and vulnerabilities, and employ a standardized methodology for assessment and reporting that is easily understood by both the requesting organization and the business partner being assessed.

The program has been welcomed by healthcare organizations and their business associates. “As a business associate for many healthcare organizations, we receive numerous requests for information security assessment-related information, much of which consists of varying detail and reporting formats, and it takes up a significant amount of time to respond effectively,” says Kurt Hagerman, director of information security for FireHost.

“The CSF Assurance Program, on the other hand, provides the context and uniformity needed to communicate the same information, assurance level and remediation guidance with one assessment and meet all of our customers’ needs.”