Those in the healthcare industry should be very familiar with the new security and privacy rules under the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted to strengthen the health information privacy and security protections established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as the deadline for compliance was September 23, 2013.
The big news though is that many vendors who provide services to “covered entities” may now fall under the definition of a “business associate” (BA) and be held liable if not in compliance. If you’re not sure, read the new rule and definition now or get some help to be sure you haven’t missed a deadline.
Whether you are a covered entity or BA, it is imperative you understand the difference between being secure and being compliant. The two are not mutually exclusive. The law requires you to be compliant, and with privacy a huge issue in the news, your customers and your reputation require you be secure. Complying with the HIPAA/HITECH rules does not mean you will be secure. In fact, it’s important to remember that 100% security is nearly impossible.
So, what can you do? Focus on security that will lower your risk of a cyber incident or data breach, and reduce your liability by showing due diligence and putting the right pieces in place. In other words:
- Conduct a risk assessment of the information you collect, process, and store. Look at how it flows across your organization, who has internal and external access to it, and how it is secured when under your control.
- Write and implement the necessary policies to document and clarify this process.
- Ensure your company is trained on cybersecurity and how to avoid common scams, phishing, e-mail tricks, spam, data loss and/or theft, etc.
In most cases, performing these tasks will help you achieve half or even more of the tasks necessary for compliance. Compliance should not be your primary goal; security and reducing risk and liability should be the goal, with compliance being a part of your security plan.
Once you have your house in order, look to your vendors. Do not assume vendors are compliant or have taken the steps to secure their networks and the information they are holding for you. Before hiring a vendor for e-mail, server storage, cloud services, and more, ensure you ask, at a minimum, the following questions:
- Does the vendor have a security policy/plan?
- Have they been through a risk assessment and security audit in the last year?
- If not, have they ever conducted one? Do they plan on doing one?
- If yes, will they provide the results?
- Do they qualify as a BA under the definition?
- If yes, are their vendors’ systems and networks HIPAA compliant?
- Will they or have they signed a BA agreement?
- If they suffer a breach, how soon will they notify you—within hours, days, or weeks?
- Do they have a HIPAA compliance policy, security policy, acceptable use policy, and other policies, such as encryption, social media, and wireless? Are their employees trained on cybersecurity awareness and how often?
Your liability does not end at the edge of your network. It extends to the contracts and relationships you have entered into and the people you have entrusted with data you are ultimately responsible for. Implementing the right policies, ensuring your workforce is trained, and managing vendors are imperative to showing due diligence. Unfortunately, today many organizations bury their heads in the sand, assume their IT company or vendor is taking care of it, or believe that it won’t happen to them! Do not make these dangerous assumptions.