The final compliance date for the revised Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rule is only a few months away. The latest change, The Omnibus Rule, makes the Business Associates of Covered Entities (which includes ISVs) directly liable for compliance with the regulations. The Omnibus also places tighter controls around access and sharing of data.
Health IT departments need to ensure that their vendors are aware, prepared and up to the task of complying. The clincher is the cloud. Healthcare providers increasingly rely on third parties such as cloud-based healthcare vendors for maintaining and storing personal health information (PHI). Going to the cloud brings an additional dose of risk for HIPAA compliance, since the data is no longer within corporate walls and is subject to breaches at the vendor organization. Below are some issues to consider and questions to ask when discussing cloud-based solutions with your vendors. They may also be applicable for both healthcare providers and third-party consultants deploying the solutions.
By Scott Petry, Co-Founder and CEO of Authentic8
The final compliance date for the revised Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rule is only a few months away. The latest change, The Omnibus Rule, makes the Business Associates of Covered Entities (which includes ISVs) directly liable for compliance with the regulations. The Omnibus also places tighter controls around access and sharing of data.
Health IT departments need to ensure that their vendors are aware, prepared and up to the task of complying. The clincher is the cloud. Healthcare providers increasingly rely on third parties such as cloud-based healthcare vendors for maintaining and storing personal health information (PHI). Going to the cloud brings an additional dose of risk for HIPAA compliance, since the data is no longer within corporate walls and is subject to breaches at the vendor organization. Below are some issues to consider and questions to ask when discussing cloud-based solutions with your vendors. They may also be applicable for both healthcare providers and third-party consultants deploying the solutions.
1. Data storage and isolation: How does the vendor store your data within their data centers? Typically, cloud-based apps will write data to multiple servers and back up across multiple locations. Your vendor will do this for performance, quality of service and data continuity reasons. Most of this multi-destination data writing is done at the application level, yet cloud vendors also need to conduct manual backup and maintenance processes that bring machines online and offline. When humans are involved, there’s plenty of opportunity for a mistake or breach. Your vendor should be able to provide you with a data architecture diagram, as well as a service-type block diagram to show how their app is writing, synchronizing and deleting your data.
If your cloud service is multi-tenant, that means your data is co-mingled with other companies' data, so you'll need to double check their data architecture. Understand how your data, which is governed by regulations, is isolated from other companies' data. Make sure the vendor can segregate your data, maintain the chain of encryption required and perform any maintenance actions on your data, without compromise. One litmus test is to ask your vendor how they assure deletes of your data. Is it based on a standard chronological process? Or can your delete actions take effect immediately (or within a reasonable time). If their answer is deletes are processed as batch transactions chronologically, they probably cannot isolate your data and operate on it uniquely.
2. Encryption: Any cloud vendor worth their salt will tout the bit level of their "military grade" encryption, yet the utility of an encrypted system goes well beyond the sophistication of the encryption algorithm. Ask your vendor to explain how their data is encrypted, including how keys are generated and where they are stored and accessed. If keys are readily available, the most sophisticated algorithm in the world might be useless. Does the vendor run their own Certificate Authority, or are they using commercial keys? Again, who has access to those keys, and how the root key (or keys) is protected are important factors.
Here are some other considerations regarding encryption: Is data encrypted at a disk level? If the entire disk is encrypted and it is a multi-tenant environment, that could be a problem, because a decryption action performed on behalf of another company might expose your data. If data is encrypted at an object level, or if each customer's data is encrypted at a file level, it's worth asking about the lifecycle of key management. You'll want the keys to be unique to you, but you don't only want a single key. Key revocation and key expire are important tools for restricting access to data in certain operational situations, for instance with backed-up data. You'll also want to think through the process of migration. If you move away from the vendor's solution, you'll need to be able to extract your data, decrypt it and import it into another system without undue hassle. There is no correct answer here, but it is necessary to understand what safeguards your vendors are taking with your data at a level deeper than the marketing datasheet.
3. Downloading and distribution of data: When it comes to application-level controls, you should be familiar with the capabilities within the app to manage and control who has access and what they can do with the data. In today's world, users are accessing apps from their mobile devices over public Wi-Fi networks. Can the vendor maintain the integrity and controls over the data all the way to the end device? If a user undermines your compliance by accessing from an insecure place, or downloads data to an unauthorized machine, you're just as screwed as if the vendor caused the breach. The vendor should offer the ability to set access rules based on role, location and/or device. If your vendor feels that their responsibility ends at the wall of their data center, look elsewhere to supplement your controls. Solutions that allow users to access sensitive data in the same anywhere-anytime-any device manner that they have with other apps without jeopardizing security are increasingly available. It may not be reasonable to expect one vendor to address the entire spectrum of risk. Consider device-side management utilities, single sign-on solutions, and/or a secure browsing solution to address the balance you need between easy access and risk management.
4. Accountability: What are the lines of demarcation between the provider organization and the vendor, if a breach or misuse of PHI does occur? The vendor can’t be liable for employee misuse, but your agreement will need to spell out responsibility for what the vendor should be able to control. Negotiating contracts where roles and responsibilities are clear to both parties is hard and many vendors don't like to add non-standard terms. Still, your contract must cover the stipulations you need for HIPAA compliance.
Many "standard" HIPAA-related contracts require parties to "use appropriate safeguards" in handling data. While ambiguous language might be good for the lawyers, if you have a breach, the conditions and liabilities need to be more specific. Define roles and responsibilities of each party as a means of preventing issues as well as remediating issues. The contract should specify remediation steps, such as how issues will be identified, communicated and resolved, where and by whom. The vendor’s role should also adapt to any changing regulations during the term of the agreement. Critically, in the event of a breach, you'll need an agreed-upon communication protocol for disclosures and notifications.
5. Usability: What is the vendor’s philosophy/approach regarding the balance between strong security and the need for clinician convenience and usability? IT loves the cloud because of the lower costs. Users love the cloud due to the anytime, anywhere access. But in a HIPAA world, both the cloud and convenience can make providers uneasy. If you've found a cloud vendor that satisfies your back-end requirements, don't forget to test the user experience. Having users embrace and advocate new technologies makes the life of IT easier and helps achieve the broader organizational goals of the software. Healthcare IT systems should work as seamlessly as the fun, light consumer services that people use regularly today; you may need to conduct user trials and surveys to find out if the solution improves or hampers productivity.
HIPAA is a costly and challenging reality for U.S. healthcare organizations of all sizes, yet there are ways to comply with the law and still provide users with fast, information-rich experiences to support better patient care and cost reduction. These are lofty goals, yet establishing a healthy partnership with your vendors is a critical step in the right direction.