Master the complexities of cloud compliance with expert resources and relevant insights.
Understanding HIPAA compliance
HIPAA compliance is complex, but it doesn’t have to be. This guide is meant to explain HIPAA at a high-level in the time it takes to drink a cup of coffee.
Over the many years Datica has been providing HIPAA compliant cloud solutions to healthcare companies large and small, we have amassed a comprehensive understanding around what makes HIPAA confusing.
We have empathy for the anxieties you encounter and the confusion even veteran healthcare leaders confide to us. We understand the questions we are asked and the curiosities newcomers have. It is because of this unique position as HIPAA experts in the healthcare community that we decided to aggregate the most important topics into a condensed, easily digestible guide for those looking to quickly gain literacy around HIPAA.
This guide will walk you through important definitions and concepts, building on previous learnings. You will emerge armed with a basic understanding of HIPAA’s purpose and rules, your obligations, and ways to address compliance.
HIPAA stands for the Health Insurance Portability and Accountability Act. The spirit of HIPAA is pretty simple:
Secure and protect personal health information
Enforce standards for electronic transactions in healthcare Specifically, HIPAA has three main parts:
HIPAA Privacy Rule
This portion of HIPAA deals with protection, access, and authorization related to protected health information (PHI). It sets rules for when and how PHI is disclosed but also gives individuals ownership of their health records, as well as rights to access them and request corrections.
HIPAA Security Rule
This rule sets standards for the security of technology used to access, store, transmit, or process PHI. It is concerned with electronic PHI, or ePHI, and operationalizes much of the Privacy Rule. It’s not always prescriptive in how to secure technology, as some aspects are left to interpretation. This section of HIPAA is most relevant to app developers from a practical standpoint. Certain implementation specifications in the security rule are either required, meaning you have to do them, or addressable.
Addressable specifications are ones in which an entity needs to do one of the following.
Implement the specific requirement as written
Implement an alternative specification
Not implement anything for that specific requirement because it is not reasonable or necessary to do so
As with most things in HIPAA, the important thing is that decisions related to addressable specifications are documented.
Breach Notification Rule
The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information to the affected parties.
What is PHI?
PHI stands for Protected Health Information and is individually identifiable health information transmitted or maintained in any form or medium by a Covered Entity or Business Associate. The core of HIPAA regulations is to ensure that ownership of any and all medical data is retained solely by the individual. The individual can then decide to parcel out access to others. The two principles guiding this follow.
Bias and discrimination
Since patient data is valuable in clinical trials, medical case studies, etc., anonymization and de-identification take place. Anonymization is a process by which PHI elements are removed or changed with the purpose of minimizing or removing the possibility of going back to the original data set. De-identification under HIPAA occurs when data has been stripped of common identifiers. Given the above constraints, it is essential that any application takes these anonymization and/or de-identification requirements into account before any data is shared with an external entity.
Covered Entity, Business Associate, and Subcontractor
Previously, HIPAA rules only defined two categories
of entities— covered entities and business associates. Covered entities are providers, payers, and clearing- houses. Business associates are basically entities that work with covered entities to perform a service to store, transmit, and/or process PHI. The new HIPAA rules expand the number of categories of entities by 50% with the addition of subcontractors.
Subcontractors are entities that business associates use to process, create, or store PHI. Subcontractors don’t have Business Associate Agreements (BAAs), or really any direct relationships, with covered entities; but, as of September 23, 2013, subcontractors need to have BAAs with business associates. Essentially you can think of subcontractors as a business associate of a business associate.
The Importance of Business Associate Agreements
Business associates are people or organizations who contract and provide services and/ or technology for covered entities. In the process of providing those services or those technologies, business associates handle, process, transmit, or in some way interact with electronic protected health information (ePHI) from those covered entities. BAAs are basically legal contracts that outline the ways in which business associates follow HIPAA, as well as the responsibilities and risks that the business associate takes on. They typically define the type of services the business associate is providing, the type of data they are interacting with, and state that they will follow HIPAA and not disclose PHI without authorization. They also should address areas around breach notifications and penalties.
Proving Compliance Methods
Anybody can, and many companies do put “HIPAA Compliant” on their websites. Complying with HIPAA is essential to selling software that processes, stores, transmits, or somehow touches ePHI. The reason companies can self-attest to being HIPAA compliant is that there isn’t a certifying body or accompanying certification for HIPAA.
There are three paths to proving HIPAA Compliance:
Path 1: Self Assessments
Self assessments are the easiest and least expensive, at least in terms of direct costs, to show compliance with HIPAA. Without official audit reports, you must illustrate your compliance story through hand-crafted documentation.
Path 2: Full Third-Party Audits
While you may still have to answer questions from each customer about security and compliance, providing your third party audit reports will go a long way to circumventing long, drawn-out security and compliance reviews. Broadly speaking, there are two main healthcare compliance frameworks that you can be audited against — HIPAA (from HHS) and HITRUST.
Path 3: Middle Road: Inheriting Proof
Datica was built to create Path 3. There had to be an easier way to build modern health- care technology, practice modern development practices, comply with HIPAA without having to hire a compliance expert and prove compliance with HIPAA without doing a full audit.
Many customers utilize our audit reports, policy page, and HIPAA mappings as the cornerstone of their compliance programs. These resources, collectively what we refer to as the HIPAA Sales Package, are a core part of the value that we provide to our customers. We’ve spent thousands of hours on security and compliance (policies, procedures, audits, technology, training, etc) and tens of thousands of dollars on audits so our customers can focus on what they do best. Our customers inherit our work and our expertise, making compliance and trust a core part of their products.
HITRUST is an industry-driven attempt to create a prescriptive, standardized, repeatable compliance framework that all organizations in healthcare can trust. It’s the closest thing healthcare has to the finance industry’s PCI frame- work. You typically complete a validated HITRUST assessment using a third party auditor to verify your controls. HITRUST isn’t easy, and it shouldn’t be. Datica is HITRUST Certified.
Administrative vs. Technical Safeguards
The Administrative safeguards in the HIPAA Security Rule account for more than 50% of the rule. These have nothing to do with technology. They are policies and processes that safeguard data.
Categorical areas include workforce security, contingency planning, training, and a few others, all of which are necessary to examine and address. The risk assessment is the big one in this category. A risk assessment should be the first step for most organizations wanting to be compliant and covers documenting architecture, identifying risks related to the protection of PHI, and mitigating those risks.
The technical category of safeguards is usually what people think of when they think of securing ePHI. The biggest areas are encryption, access controls, and auditing. With encryption, it has to be end to end, and it has to be at rest. At rest is typically harder. We have found that we need touse high performance SSD drives to improve performance issues that arise with encrypting data at rest. For access controls and logging, basically all activity of servers should be logged and those logs should be monitored with appropriate alerting. All API calls should also be logged, including what was accessed (with ePHI at times), by whom, and when.
Cost seems to be one of a few gating factors for companies considering a HIPAA audit. If you look at the cost of a HIPAA audit, it breaks into two broad categories: direct costs and indirect costs.
HIPAA Gap Assessment: Meant to identify gaps and remediation plans for those gaps, it is the cheapest option and least time consuming. It often does not require an onsite visit from an auditor. A gap assessment leads to a full HIPAA audit; after the gap assessment, organizations spend time addressing the gaps before beginning a full HIPAA audit. The direct cost is about $20,000-$25,000.
Full HIPAA Audit: A full HIPAA audit, when applied to technology vendors, assesses an organization against all the requirements in the HIPAA Security Rule. It includes both technical settings and configurations as well as administrative requirements like training and business associate agreements. It will involve an auditor visit and will require documentation to support claims about security and compliance; this can include showing specific technology settings like password rules and guest access. The direct cost is about $25,000.
Validated HITRUST Assessment: HITRUST is a more complete, certifiable version of HIPAA. It was created by large healthcare enterprises to mirror PCI compliance. It is similar to a full HIPAA audit but goes into much more granular detail about the maturity of controls and compliance programs. There’s now a standard web app that you use to enter information and those entries are then validated by a HITRUST approved assessor. Then HITRUST, the organization, reviews all the entries, typically asks for more evidence, and you hopefully get HITRUST certified at the end. The direct costs for this include both fees to HITRUST and to your auditor (approved assessor). The direct cost is about $60,000-$120,000, yet that cost can be much higher for larger organizations.
Indirect costs are harder to quantify. The biggest factor to consider is time. For each of the types of audit above, the indirect costs increases as you move down the list. For each of our audits, we estimated the total time spent for all employees.
Gap Assessment: 40 hours
Full HIPAA Audit: 100 hours
Validated HITRUST Assessment: 400 hours
We conservatively estimated the cost of an hour of work to be $100/hour. This is partially loss for the cost of salaries and benefits, and partially loss from the opportunity cost of not doing other things with this time (writing code, customer support, sales, marketing, etc). Based on those numbers, the total cost of the different audits are:
HIPAA Gap Assessment - $17,800-$22,800
Full HIPAA Audit - $27,000-$32,000
Validated HITRUST Assessment - $100,000-$160,000. To Sum it Up
To attain true HIPAA compliance, administrative and technical components must follow the comprehensive regulations as laid out by federal and state officials.
To cover yourself administratively: Consultants are a good place to start,
and many of them are quite good. Otherwise there are tools available, like AccountableHQ.com or our open sourced policies to procure an understanding of what this means in further detail.
To cover yourself technically: You must consider your full stack, from infrastructure all the way to application. Datica’s HIPAA compliant platform has you covered from the infrastructure point of view, which is nontrivial.
Need Compliance Help?
Talk to the experts.